Facebook’s WhatsApp messaging service is insanely popular.
In fact, in January, it was the most popular messaging app on the planet, with more than 600 million active users, and by April it blew that number away, zooming up to 800 million active users.
That’s quite a lot of chitchat!
Of course, the little app that Facebook paid a whole lot of money for last year has had its share of security/privacy thrills and chills, such as spilling the beans about when you’re online; privacy holes that could lead to a bit of a private-image peepshow; another blunder that involved using non-secret information to construct secret encryption keys (which is a bit like using your pet’s name as a password); and then there was the two-time use of a one-time pad: a cryptographic technique requiring, as its name suggests, that you never re-use its key material.
The latest WhatsApp episode isn’t quite such a nail-biter, though, as it’s not a hole, per se. It’s more of a warning about the dangers of not keeping an eye on your gadget.
To wit: as The Hacker News reports, the WhatsApp account of every one of those 800 million(!) active users can be hijacked, without unlocking or knowing the device password.
Technical knowledge required: about zero.
Basically, all a wrongdoer needs is to know the phone number of a target and to get access to their phone – even if it’s locked – for a few seconds.
It doesn’t matter if the victim has a lock screen enabled on their phone, since that won’t block the hijacker from answering an authentication call and intercepting the (supposedly) secret PIN needed to set up the hijacked Whatsapp account on another phone.
The Hacker News notes that this gets nastier still with an iPhone that has Siri enabled on the lock screen, given that Siri can be persuaded to divulge all manner of contact details or notifications, “effectively giving everyone access to their phone number without the need for a PIN.”
I contacted Facebook to see if it had any feedback on this and will update the story if somebody gets back to me.
But given that it’s part of the account setup mechanism, I’m assuming he or she will tell me that, well, it’s not a bug, since it’s part of the account setup mechanism.
But it is a good reminder to keep an eye on your devices when you’re out and about!
Oh, and if you have an iPhone, you may want to disable Siri on the lock screen.
Image of WhatsApp courtesy of Twin Design / Shutterstock.com .
Jack
Very interesting! What about Line and WeChat?
speryvam.hartelap@gmail.com
It’s not as bad as it might sound since you’ll immediately notice that your account has been disconnected if this ever happens to you (because WhatsApp can only be tied to one phone number at a time).
But using a messenger which isn’t open to this (and more serious attacks), like Threema, is a good idea, of course!
Common Sense
It’s not exactly true. You can choose NOT to allow messages to appear on your lock screen depending upon which handset you’re using.
The simpler, more practical solution would be to have a couple of lines of text preceding the code, e.g.
“The following is your WhatsApp authentication code. Please enter it into the application when requested.
2921712”
Doing this would prevent the code from being seen in the somewhat minimalistic preview function.