large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

New WhatsApp voicemail hack exposed – how you can protect your account

Security experts are warning WhatsApp users of a potential hacking threat that could enable an account to be completely taken over by an attacker.

In a blog post, the researchers at Sophos have detailed a vulnerability that could enable messages and account access to be compromised. The hack relies on smartphone users’ tendencies not to change the default settings and PINs that protect their voicemail.

In order to exploit the loophole, attackers must first attempt to register a WhatsApp user’s phone number on their own device. While this would normally summon a request to enter an access code texted to the phone number in question, the attackers perform the hack at a time when the user is less likely to see it (at night, for example).

WhatsApp will then offer to call the phone in question with an automated message, stating the access code. If the victim isn’t reading the text, they’re unlikely to answer the call either, meaning it’s left as a voicemail.

This is where the unprotected voicemail password comes in. Some mobile networks provide generic phone numbers where users can dial in to read their voicemail. Because these default passwords are usually simple 4-digit codes like 0000 or 1234 (which are easily discoverable online), the hackers can easily gain access to the code sent by WhatsApp.

Related: Best smartphone

From here on, the assailant is able to use the code to register the WhatsApp account to their phone and send and receive messages from it. If they choose to use two-step verification, it’s practically impossible for the user to recover their own phone number for use with WhatsApp.

There are, of course, simple ways to protect your WhatsApp account, starting with setting your own strong PIN for the voicemail inbox (i.e. not your date of birth). You should also enable WhatsApp’s own two-step verification tool in order to protect your attack.

Head to Settings > Account > Two-step verification > Enable.

Have you ever lost control of your WhatsApp account? Drop us a line @TrustedReviews on Twitter.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.