Facebook’s WhatsApp messaging service is insanely popular.
That’s quite a lot of chitchat!
Of course, the little app that Facebook paid a whole lot of money for last year has had its share of security/privacy thrills and chills, such as spilling the beans about when you’re online; privacy holes that could lead to a bit of a private-image peepshow; another blunder that involved using non-secret information to construct secret encryption keys (which is a bit like using your pet’s name as a password); and then there was the two-time use of a one-time pad: a cryptographic technique requiring, as its name suggests, that you never re-use its key material.
The latest WhatsApp episode isn’t quite such a nail-biter, though, as it’s not a hole, per se. It’s more of a warning about the dangers of not keeping an eye on your gadget.
To wit: as The Hacker News reports, the WhatsApp account of every one of those 800 million(!) active users can be hijacked, without unlocking or knowing the device password.
Technical knowledge required: about zero.
Basically, all a wrongdoer needs is to know the phone number of a target and to get access to their phone – even if it’s locked – for a few seconds.
It doesn’t matter if the victim has a lock screen enabled on their phone, since that won’t block the hijacker from answering an authentication call and intercepting the (supposedly) secret PIN needed to set up the hijacked Whatsapp account on another phone.
The Hacker News notes that this gets nastier still with an iPhone that has Siri enabled on the lock screen, given that Siri can be persuaded to divulge all manner of contact details or notifications, “effectively giving everyone access to their phone number without the need for a PIN.”
I contacted Facebook to see if it had any feedback on this and will update the story if somebody gets back to me.
But given that it’s part of the account setup mechanism, I’m assuming he or she will tell me that, well, it’s not a bug, since it’s part of the account setup mechanism.
But it is a good reminder to keep an eye on your devices when you’re out and about!
Oh, and if you have an iPhone, you may want to disable Siri on the lock screen.