Your WhatsApp account can be totally stolen as long as your attacker knows your number and can have a quick glance at your phone's screen.
Your phone doesn't need to be unlocked, they don't need your WhatsApp password or your email address, and they'll probably get an archive of all their WhatsApp chats and call logs as well once they've hijacked the account.
- New WhatsApp update is bad news for iPhone users
- The best password managers: Protect your online accounts
- New: 28 antivirus products share nasty flaw that can brick PCs, Macs
This attack would easily work against co-workers, roommates, spouses, classmates and so on. It would even work against someone you're having lunch or coffee with, or your boss.
All your target needs is for you to leave your phone alone for a few seconds, such as when you go to the bathroom.
ESET security researcher Jake Moore walked us through this process in a blog post today (April 20), and honestly, it seemed too good to be true. But we tried it ourselves, and much to our horror, it totally worked.
At this point, we would normally tell you to protect yourself with one of the best password managers or some of the best antivirus software. But this rather ridiculous security hole doesn't involve passwords or malware.
Fortunately, there's any easy way to avoid this kind of attack: You need to enable a PIN on your WhatsApp account, one that you'll need to enter when porting your account to a new phone. You might want to also disable text-message previews, although we know that's totally inconvenient.
How this attack works
Moore's method is ridiculously easy. Here are the steps someone needs to take to steal your WhatsApp account.
1. Install WhatsApp on a phone where it's not already installed.
2. Wait for your target to walk away from their own phone.
3. When WhatsApp asks you for your phone number, type in your target's number instead.
4. WhatsApp will text a six-digit one-time-use confirmation code to your target's phone.
5. If your target's phone has text-message previews enabled -- and almost all phones, iOS or Android, do -- then the confirmation code will appear as a preview on their phone's screen.
6. Type in confirmation code in the WhatsApp on your phone.
It took us 10 seconds to do this on two phones we own. We didn't need to unlock the first device to see the confirmation code, because it popped up on the lockscreen. The trickiest part was memorizing it, because it was only onscreen for a couple of seconds.
Because a WhatsApp account can only be running on a single phone, the account was transferred from one to the other. If you were doing this to someone else, they would lose access to their own account.
Following the transfer, we were prompted to port all the data that WhatsApp had backed up to Google Drive (or iCloud) to the new phone. Since we want to move the account back to the first phone, we didn't do that.
But Moore did, and he was able to view all the archived chats of a co-worker whose account he stole using this message. (He had her consent to do so, and restored her account on her phone once his experiment was done.)
How to protect your WhatsApp account
Needless to say, you do not want someone else stealing your WhatsApp account. The best way to avoid this is to add a PIN to your account.
WhatsApp calls this two-step verification, which it is, but that's not to be confused with two-factor authentication (2FA). WhatsApp's rather lame implementation of 2FA is what got us into trouble here in the first place.
Anyhow, you just need to go into your WhatsApp settings, tap Account, then tap Two-Step Verification. You'll be prompted to create a six-digit PIN that you'll need to enter again next time your port your WhatsApp account to a new phone.
You'll also probably want to enter an email address that will serve as a failsafe in case your forget that PIN.
Moore suggests turning off SMS-message previews on your lockscreen, which is probably a good idea in theory. But it's going to make using your phone a lot less convenient.
However, we do agree that you should never leave your phone unattended when you're out of the house -- or even while in the house if you don't trust your roommates.