Security experts are warning WhatsApp users of a potential hacking threat that could enable an account to be completely taken over by an attacker.
In a blog post, the researchers at Sophos have detailed a vulnerability that could enable messages and account access to be compromised. The hack relies on smartphone users’ tendencies not to change the default settings and PINs that protect their voicemail.
In order to exploit the loophole, attackers must first attempt to register a WhatsApp user’s phone number on their own device. While this would normally summon a request to enter an access code texted to the phone number in question, the attackers perform the hack at a time when the user is less likely to see it (at night, for example).
WhatsApp will then offer to call the phone in question with an automated message, stating the access code. If the victim isn’t reading the text, they’re unlikely to answer the call either, meaning it’s left as a voicemail.
This is where the unprotected voicemail password comes in. Some mobile networks provide generic phone numbers where users can dial in to read their voicemail. Because these default passwords are usually simple 4-digit codes like 0000 or 1234 (which are easily discoverable online), the hackers can easily gain access to the code sent by WhatsApp.
Related: Best smartphone
From here on, the assailant is able to use the code to register the WhatsApp account to their phone and send and receive messages from it. If they choose to use two-step verification, it’s practically impossible for the user to recover their own phone number for use with WhatsApp.
There are, of course, simple ways to protect your WhatsApp account, starting with setting your own strong PIN for the voicemail inbox (i.e. not your date of birth). You should also enable WhatsApp’s own two-step verification tool in order to protect your attack.
Head to Settings > Account > Two-step verification > Enable.
Have you ever lost control of your WhatsApp account? Drop us a line @TrustedReviews on Twitter.