WhatsApp flaw leaves users open to 'shoulder surfing' attacks

WhatsApp chat on a smartphone screen

WhatsApp users are susceptible to shoulder surfing attacks due to the way the service restores accounts to new devices, with hackers able to compromise individuals using just their phone number.

Messages sent through WhatsApp are protected through end-to-end encryption, meaning its incredibly challenging for hackers to intercept and spy on communications data.

However, a security expert has demonstrated how criminals may be able to compromise users by downloading their accounts to third-party devices.

Users logging into WhatsApp on a new device must first acquire a unique code that’s sent to them via text message. This code, once entered into the app, will validate the phone and restore account settings and history from a backup.

Should hackers manage to obtain a victim’s phone number, they can download WhatsApp on a clean device and enter this to request an account restoration code be sent via text message. Should they be within spying distance of the victim’s smartphone, they can obtain that code as and when it’s sent, according to ESET security specialist Jake Moore.

From there, by simply entering the unique code into their clean device, they can fully compromise the victim’s WhatsApp account.

Moore said he devised the theory and decided to test it on a colleague, who often finds themselves at the end of his social engineering experiments.

“Recently, I threw into our conversation that it’s always a good idea to back up your WhatsApp chats, just in case she didn’t, as I wouldn’t want her to lose them forever,” Moore said. “A few days later, I used my spare phone and downloaded the app. It requested my phone number to verify the device it was to be installed on.”

“It wasn’t long before my colleague left her desk to make a coffee, leaving her phone in view on her desk, so I entered her phone number into my new WhatsApp account.


Remote office networks pose a business and reliability risk

A survey of IT professionals shows that nearly every company suffers direct business impact from network service interruptions


“Her phone instantly received a message (on silent) and I walked past her desk mentally noting the code. I typed it in the verification field on my spare phone. Et voilà - I had control of her account.”

While employees and IT teams may take all the precautions in the world to guard against network-based cyber attacks, they may find themselves vulnerable to in-person shoulder surfing attacks.

It’s a huge risk when in the office or even out and about. Moore, for instance, highlighted how likely we are to leave our phones by our desks while in the office, or on the table in a restaurant when dining with others.

Moore has recommended WhatsApp users guard against the attack by turning off previews for SMS messages, and, more importantly, never leave their devices unattended.

Moreover, WhatsApp created its own two-factor authentication process, which can be turned on by heading into the settings menu. Once enabled, the app will ask users for a custom PIN number at random times when they open the app.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.