WhatsApp flaw leaves users open to 'shoulder surfing' attacks

Hackers can gain full access to individual’s WhatsApp accounts using just their phone number

WhatsApp users are susceptible to shoulder surfing attacks due to the way the service restores accounts to new devices, with hackers able to compromise individuals using just their phone number.

Messages sent through WhatsApp are protected through end-to-end encryption, meaning its incredibly challenging for hackers to intercept and spy on communications data.

However, a security expert has demonstrated how criminals may be able to compromise users by downloading their accounts to third-party devices.

Users logging into WhatsApp on a new device must first acquire a unique code that’s sent to them via text message. This code, once entered into the app, will validate the phone and restore account settings and history from a backup.

Should hackers manage to obtain a victim’s phone number, they can download WhatsApp on a clean device and enter this to request an account restoration code be sent via text message. Should they be within spying distance of the victim’s smartphone, they can obtain that code as and when it’s sent, according to ESET security specialist Jake Moore

From there, by simply entering the unique code into their clean device, they can fully compromise the victim’s WhatsApp account.

Moore said he devised the theory and decided to test it on a colleague, who often finds themselves at the end of his social engineering experiments. 

“Recently, I threw into our conversation that it’s always a good idea to back up your WhatsApp chats, just in case she didn’t, as I wouldn’t want her to lose them forever,” Moore said. “A few days later, I used my spare phone and downloaded the app. It requested my phone number to verify the device it was to be installed on.”

“It wasn’t long before my colleague left her desk to make a coffee, leaving her phone in view on her desk, so I entered her phone number into my new WhatsApp account. 

Related Resource

Remote office networks pose a business and reliability risk

A survey of IT professionals shows that nearly every company suffers direct business impact from network service interruptions

Download now

“Her phone instantly received a message (on silent) and I walked past her desk mentally noting the code. I typed it in the verification field on my spare phone. Et voilà - I had control of her account.”

While employees and IT teams may take all the precautions in the world to guard against network-based cyber attacks, they may find themselves vulnerable to in-person shoulder surfing attacks.

It’s a huge risk when in the office or even out and about. Moore, for instance, highlighted how likely we are to leave our phones by our desks while in the office, or on the table in a restaurant when dining with others.

Moore has recommended WhatsApp users guard against the attack by turning off previews for SMS messages, and, more importantly, never leave their devices unattended.

Moreover, WhatsApp created its own two-factor authentication process, which can be turned on by heading into the settings menu. Once enabled, the app will ask users for a custom PIN number at random times when they open the app. 

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

CMS platforms succumb to KashmirBlack botnet as businesses rush online
Security

CMS platforms succumb to KashmirBlack botnet as businesses rush online

22 Oct 2020
Government agencies see misconfigured cloud services as top security threat
Security

Government agencies see misconfigured cloud services as top security threat

22 Oct 2020
Lookout reveals mobile-first endpoint detection and response solution
Security

Lookout reveals mobile-first endpoint detection and response solution

21 Oct 2020
Cisco finds an increase in security concerns due to remote working
Security

Cisco finds an increase in security concerns due to remote working

21 Oct 2020

Most Popular

The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
Mobile browser flaw exposes users to spoofing attacks
Security

Mobile browser flaw exposes users to spoofing attacks

21 Oct 2020