The attack does not exploit any vulnerability in WhatsApp; instead, it relies on the way the account setup mechanism works.
WhatsApp allows users to sign up to the app using their phone number, so if an attacker wants to hijack your WhatsApp account, they would require an OTP (One time password) send to your phone number.
The attacker can grab this OTP by diverting the SMS containing the passcode to their own computer or phone, using either a malicious app or SS7 vulnerability, and then log into the victim's WhatsApp account. The attack even works in case the phone is locked.
In August, Iranian state-sponsored hackers reportedly hijacked over dozens of Telegram accounts belonging to activists and journalists by exploiting a similar loophole.
At that time, we reported that such attack could also be used against any messaging app, including Whatsapp and Viber, whose registration is based upon SMS-based verification mechanism.
Also Read: How to Hack Someones Facebook Account Just by Knowing their Phone Numbers.
So in order to fix this issue, WhatsApp has now introduced Two-Step Verification (2SV) password feature for its Beta version for Android, which will help you lock down the WhatsApp set-up mechanism.
In other words, to reconfigure the WhatsApp account with two-step verification enabled, one must require not just OTP but also a 6-digit 2SV passcode set by the user.
How to Enable Two-Step Verification
To enable two-step verification (2SV), you need to sign for the WhatsApp's Beta version, and follow these simple steps:
- Go to WhatsApp Settings → Account → Two-step verification.
- Click enable, set a 6-digit passcode and re-confirm it.
- On next screen, enter your email ID (optional) to enable passcode recovery via email. (It's recommended to use email as backup so that you're not locked out of your account if you forget your passcode.)
- Hit "Done, " and you are all set to go.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
Providing your email address is optional, which if enabled, will help you reset your passcode when you forget it. Here's what WhatsApp explained about email option:
"We do not verify this email address to confirm its accuracy. We highly recommend you provide an accurate email address so that you are not locked out of your account if you forget your passcode. If you receive an email to disable two-step verification but did not request this, do not click on the link. Someone could be attempting to verify your phone number on WhatsApp."
But what if you forget the passcode after setting it months ago?
For helping you remember your 2SV passcode, WhatsApp will periodically ask you to enter your passcode, and there is no option to opt out of this without disabling the 2SV feature.
For now, the feature is available only on WhatsApp beta version, and the company will start rolling out two-step verification with the release of a stable version for both the iOS and Android for over 1 Billion users in the coming weeks.
To enjoy two-step verification, you can sign up to become a beta tester and update to WhatsApp (Beta) version 2.16.346 straight from the Google Play Store.
Once signed up, your smartphone will be automatically updated to the WhatsApp Beta version in the next app update cycle.