It’s the malicious WhatsApp hack that won’t go away—it works, it’s effective, and it enables a hacker to hijack your account and commit fraud against your friends and colleagues. And now it’s back—with a nasty twist. The hack is simple, relying on you doing something you absolutely should not. And, worse, there is one setting you and everyone else can update to fully protect yourselves.
I first covered this hack back in January, although there were reports going back to last year. It relies on social engineering and user security complacency. It is the hack I get the most emails about, still to this day, as users around the world struggle to restore their accounts after falling victim. Make sure you don’t join them—here’s how it works and what you must do.
Despite sending its messages over any internet bearer, WhatsApp is still linked to your phone number. This is central to the way it works—your phone number is your unique identifier and the app can only be on one device at a time, even though its web access platform provides a window onto that device.
Because this is how WhatsApp works, when a user changes their phone or reinstalls the app, WhatsApp needs to verify that the new device is linked to the user’s phone number. This is done through a verification SMS with a six-digit code. Once the user taps in the right code, the new installation of WhatsApp is enabled and all messages sent to that user will come to that device.
Importantly, this does not restore any messaging backup—those are managed by the device’s backup process, different for iOS and Android. But even restoring a backup will not register a new device to your WhatsApp account until you have requested, received and entered that SMS verification code.
What was actually intended as a security strength is actually a surprise weakness. WhatsApp doesn’t check the phone number on the device itself, relying on that SMS. And so, if an attacker knows your number and can get your verification code, they can hijack your account and install your WhatsApp on their device, even though their device has a different phone number to your own.
Until now, the hack relied on tricking users into giving up their SMS verification codes to a supposed friend or contact. This was a trick. What is happening behind the scenes is that an attacker has already hijacked a friend’s WhatsApp or Facebook account. They then send you a message along the lines of “my SMS isn’t working, WhatsApp need to send a code and can’t, so I’ve asked them to send it to you instead. Please forward it on.”
Obviously, the code you then receive relates to your own account not your “friends,” and by forwarding that code, you are essentially providing an attacker everything they need to hijack your account.
Now there is a new twist. As first reported by WABetaInfo following a question from a Twitter follower, it seems that attackers have taken to spoofing messages from WhatsApp itself, asking users for those codes. Clearly an attempted account hijack. The methodology has changed but the attack vector is exactly the same. It doesn’t matter how this is done, the risk is the same and the fix is the same—as detailed below.