WhatsApp flaw leaves users open to 'shoulder surfing' attacks

Hackers can gain full access to individual’s WhatsApp accounts using just their phone number

WhatsApp users are susceptible to shoulder surfing attacks due to the way the service restores accounts to new devices, with hackers able to compromise individuals using just their phone number.

Messages sent through WhatsApp are protected through end-to-end encryption, meaning its incredibly challenging for hackers to intercept and spy on communications data.

However, a security expert has demonstrated how criminals may be able to compromise users by downloading their accounts to third-party devices.

Users logging into WhatsApp on a new device must first acquire a unique code that’s sent to them via text message. This code, once entered into the app, will validate the phone and restore account settings and history from a backup.

Should hackers manage to obtain a victim’s phone number, they can download WhatsApp on a clean device and enter this to request an account restoration code be sent via text message. Should they be within spying distance of the victim’s smartphone, they can obtain that code as and when it’s sent, according to ESET security specialist Jake Moore

From there, by simply entering the unique code into their clean device, they can fully compromise the victim’s WhatsApp account.

Moore said he devised the theory and decided to test it on a colleague, who often finds themselves at the end of his social engineering experiments. 

“Recently, I threw into our conversation that it’s always a good idea to back up your WhatsApp chats, just in case she didn’t, as I wouldn’t want her to lose them forever,” Moore said. “A few days later, I used my spare phone and downloaded the app. It requested my phone number to verify the device it was to be installed on.”

“It wasn’t long before my colleague left her desk to make a coffee, leaving her phone in view on her desk, so I entered her phone number into my new WhatsApp account. 

Related Resource

Remote office networks pose a business and reliability risk

A survey of IT professionals shows that nearly every company suffers direct business impact from network service interruptions

Download now

“Her phone instantly received a message (on silent) and I walked past her desk mentally noting the code. I typed it in the verification field on my spare phone. Et voilà - I had control of her account.”

While employees and IT teams may take all the precautions in the world to guard against network-based cyber attacks, they may find themselves vulnerable to in-person shoulder surfing attacks.

It’s a huge risk when in the office or even out and about. Moore, for instance, highlighted how likely we are to leave our phones by our desks while in the office, or on the table in a restaurant when dining with others.

Moore has recommended WhatsApp users guard against the attack by turning off previews for SMS messages, and, more importantly, never leave their devices unattended.

Moreover, WhatsApp created its own two-factor authentication process, which can be turned on by heading into the settings menu. Once enabled, the app will ask users for a custom PIN number at random times when they open the app. 

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Global ransom DDoS extortionists are retargeting companies
distributed denial of service (DDOS)

Global ransom DDoS extortionists are retargeting companies

22 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
BEC scammers are using Google Forms to identify easy victims
phishing

BEC scammers are using Google Forms to identify easy victims

21 Jan 2021

Most Popular

School laptops sent by government arrive loaded with malware
malware

School laptops sent by government arrive loaded with malware

21 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021