WhatsApp Accounts Can Be Hijacked Through Call Forwarding
Researchers have described an attack method that allows cybercriminals to take over someone else’s WhatsApp account, gaining access to private messages and contact lists. The vulnerability lies in WhatsApp’s feature that lets users receive one-time passwords (OTPs) via voice calls.
This hacking technique was detailed by experts from CloudSEK. The attack can be carried out in just a few minutes, but the hacker needs to know the victim’s phone number and be prepared to use social engineering tactics.
How the Attack Works
- The attacker convinces the victim to dial a number starting with an MMI code, which is used by mobile carriers to activate call forwarding. Depending on the carrier, the MMI code can forward all calls to another number or only when the line is busy or unreachable. These codes usually start with an asterisk (*) or a hash (#), and are supported by all major carriers.
- Once the victim has set up call forwarding to the attacker’s number, the hacker initiates the WhatsApp registration process on their own device, choosing to receive the OTP via a voice call.
- The attacker receives the call with the OTP, allowing them to register the victim’s WhatsApp account on their own device. They can then enable two-factor authentication, which prevents the real account owner from regaining access.
Warning Signs and Prevention
During the attack, the victim’s device will receive text messages warning that WhatsApp is being registered on another device. However, these alerts can be missed, especially if the attacker uses social engineering to keep the victim engaged in a phone conversation while the OTP is being delivered.
Experts note that protecting yourself from this type of attack is simple: just enable two-factor authentication in WhatsApp.