There’s a trick that allows attackers to hijack a victim’s WhatsApp account and gain access to personal messages and contact lists. The method relies on the mobile carriers’ automated service to forward calls to a different phone number and WhatsApp’s option to send a One-Time Password (OTP) verification code via voice call. Rahul Sasi, the founder and CEO of digital risk protection company CloudSEK, posted some details about the method saying that it is used to hack WhatsApp accounts. Reporters tested and found that the technique works, albeit with some caveats that a sufficiently skilled attacker could overcome. It takes just a few minutes for the attacker to take over the WhatsApp account of a victim, but they need to know the target’s phone number and be prepared to do some social engineering. Sasi says that an attacker first needs to convince the victim to make a call to a number that starts with a Man-Machine Interface (MMI) code that the mobile carrier set up to enable call forwarding. Depending on the carrier, a different MMI code can forward all calls to a terminal to a different number or just when the line is busy or there is no reception. These codes start with a star (*) or a hash (#) symbol. They are easily found and all major mobile network operators support them. The researcher explains that the 10-digit number belongs to the attacker and the MMI code in front of it tells the mobile carrier to forward all calls to the phone number specified after it when the victim’s line is busy. Once they trick the victim into forwarding calls to their number, the attacker starts the WhatsApp registration process on their device, choosing the option to receive the OTP via voice call. After they receive the OTP code, the attacker can register the victim’s WhatsApp account on their device and enable Two-Factor Authentication (2FA), which prevents legitimate owners from regaining access. Although the method seems simple, getting it to work requires a little effort.
During testing, researchers noticed that the target device also receives a text message informing the user that WhatsApp is being registered on another device. Users may miss this warning if the attacker also turns to social engineering and engages the target in a phone call just long enough to receive the WhatsApp OTP code over voice. If call forwarding has already been activated on the victim’s device, the attacker must use a different phone number than the one used for the redirection – a small inconvenience that might require more social engineering. The clearest clue of suspicious activity for the target user occurs after the mobile operators turn on call forwarding for their device since activation comes with a warning overlayed on the screen that doesn’t go away until the user confirms it.