How Easy Is It To Hijack A Whatsapp User’s Account?

Whatsapp ConfirmationThe mobile messaging tool Whatsapp has been attracting some intense scrutiny recently. I do agree that the flat way Whatsapp uses contacts is worthy of question. Contact information should only be accessible and used for short periods of time, and users should be in control of what is shown. Right now, if I have Whatsapp installed, I can’t stop my account and status from being displayed on another users device so long as they have my phone number (and, provided I haven’t blocked their phone number). Being able to control what is publicly displayed would go along way to helping Whatsapp with privacy issues. But, the application appears to also be easily hijacked; that’s a problem and I’ll show you why.

To be fair, I came across this while moving iOS devices. This kind of thing is probably not something a person will stumble across unless specific actions (and access) is obtained. You’ll need to have access to an iOS device with Whatsapp installed (I’ll call the target) and the source device, likely an iPhone with Whatsapp, capable of SMS messaging. In addition, you’ll need to phone user’s phone number, but you can just get that from the phone. I have not attempted this with other platforms running Whatsapp, but it seems reasonable that this process will still work with them. As always, your mileage will vary.

1. Open Whatsapp on the target device and set your Whatsapp phone number to the soon-to-be hijacked phone number

2. Obtain the soon-to-be hijacked iPhone and wait for the confirmation SMS number, enter this into your target device when received

3. Once confirmed, you can use the new iOS device to send and receive message attached to that phone number

At the heart of this is how Whatsapp authenticates your account access (by way of phone number) using an SMS confirmation code. I have done this with two iPhones and, if I recall correctly, this was even possible on a device without phone access. Given that, once you’ve confirmed an account on the target device, this could even work on an iPod Touch. In my experience, after authenticating the target device, Whatsapp will continue to send and receive messages on the old device, but it’s not clear for how long.

I generally just stumbled across this process and wasn’t thinking how this could be used maliciously  but it does seem possible. What is clear is that Whatsapp can improve this process by having users create accounts on their servers. This simple process is easily done, but probably not something super common. I wonder if anyone else had tried this process?