WhatsApp flaw leaves users open to 'shoulder surfing' attacks

Hackers can gain full access to individual’s WhatsApp accounts using just their phone number

WhatsApp users are susceptible to shoulder surfing attacks due to the way the service restores accounts to new devices, with hackers able to compromise individuals using just their phone number.

Messages sent through WhatsApp are protected through end-to-end encryption, meaning its incredibly challenging for hackers to intercept and spy on communications data.

Advertisement - Article continues below

However, a security expert has demonstrated how criminals may be able to compromise users by downloading their accounts to third-party devices.

Users logging into WhatsApp on a new device must first acquire a unique code that’s sent to them via text message. This code, once entered into the app, will validate the phone and restore account settings and history from a backup.

Should hackers manage to obtain a victim’s phone number, they can download WhatsApp on a clean device and enter this to request an account restoration code be sent via text message. Should they be within spying distance of the victim’s smartphone, they can obtain that code as and when it’s sent, according to ESET security specialist Jake Moore

From there, by simply entering the unique code into their clean device, they can fully compromise the victim’s WhatsApp account.

Moore said he devised the theory and decided to test it on a colleague, who often finds themselves at the end of his social engineering experiments. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

“Recently, I threw into our conversation that it’s always a good idea to back up your WhatsApp chats, just in case she didn’t, as I wouldn’t want her to lose them forever,” Moore said. “A few days later, I used my spare phone and downloaded the app. It requested my phone number to verify the device it was to be installed on.”

“It wasn’t long before my colleague left her desk to make a coffee, leaving her phone in view on her desk, so I entered her phone number into my new WhatsApp account. 

Related Resource

Remote office networks pose a business and reliability risk

A survey of IT professionals shows that nearly every company suffers direct business impact from network service interruptions

Download now

“Her phone instantly received a message (on silent) and I walked past her desk mentally noting the code. I typed it in the verification field on my spare phone. Et voilà - I had control of her account.”

While employees and IT teams may take all the precautions in the world to guard against network-based cyber attacks, they may find themselves vulnerable to in-person shoulder surfing attacks.

Advertisement - Article continues below

It’s a huge risk when in the office or even out and about. Moore, for instance, highlighted how likely we are to leave our phones by our desks while in the office, or on the table in a restaurant when dining with others.

Moore has recommended WhatsApp users guard against the attack by turning off previews for SMS messages, and, more importantly, never leave their devices unattended.

Moreover, WhatsApp created its own two-factor authentication process, which can be turned on by heading into the settings menu. Once enabled, the app will ask users for a custom PIN number at random times when they open the app. 

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Recommended

Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020
British teenager charged over Twitter hack
hacking

British teenager charged over Twitter hack

3 Aug 2020
Mid-year report says vulnerabilities up 22% in 2020
hacking

Mid-year report says vulnerabilities up 22% in 2020

30 Jul 2020
BlackRock banking Trojan targets Android apps
trojans

BlackRock banking Trojan targets Android apps

27 Jul 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
UN report points to a 350% rise in phishing websites at start of 2020
phishing

UN report points to a 350% rise in phishing websites at start of 2020

7 Aug 2020