Islamists hackers made use of a known exploit to try to hack the phone of a far-right Jewish official who serves as Jerusalem’s deputy mayor, highlighting the risks of the technique which allows anyone to block a victim out of the popular WhatsApp messaging service.
According to a video posted to an Israeli cybersecurity group, suspected hackers can be seen making multiple attempts to log into Aryeh King’s WhatsApp using his phone number, and then multiple additional attempts to fill in the verification code the app sends users in such cases.
The goal of the attack, which the firebrand politician did not fall far, was double - both to lock King out of his account and to take control of the phone’s WhatsApp. It thus reveals how nefarious actors can easily exploit the messaging app to lock victims out of their own phones.
The exploit was revealed last year by Tsachi Ganot, co-founder and CEO of the cybersecurity consulting firm Pandora Security. The firm as well as Haaretz informed Facebook, which owns WhatsApp, about it but the social media giant has failed to act and the technique can still be used.
The hack is astonishingly easily: The hacker uses a cellphone to which WhatsApp has been downloaded and installed, but not yet connected to the platform. They then sends an email to WhatsApp customer support to report the phone stolen, providing the victim's cellphone number and claiming it as their own.
>> Do you work in Israeli hi-tech and have a story to share with us? We can promise full anonymity: Click here to send us an encrypted email
The company immediately locks the account, sending the victim a warning to their phone. Next, using the cellphone to which WhatsApp has been installed, the attacker will now try to connect to the app using the victim’s number. They punch in the phone number of the victim's phone, and in response WhatsApp sends a six-digit verification code to the victim's phone.
- Anyone can lock you out of WhatsApp. Facebook doesn't care. Here's how it works
- Palestinian activist plans to sue Jerusalem deputy mayor over violent threat
- Israeli officials cracking down on 'racist' social media posts by Arab civil servants
King confirmed to Haaretz that the attackers tried to get him to transfer the verification code he received ,thus allowing them full control of his account. King, however, did not heed their demand.
After the (wrong) random numbers have been punched in again and again, WhatsApp locks the account – initially for a few minutes and then for seven hours, and pretty soon the lockout reaches 12 hours. During that time, the victim has no access to their WhatsApp account. Thus, though the phone itself is not compromised, attackers can lock victims out of a potentially vital communication tool.
It must be stressed that for this type of attack, there's no need for the hacker to convince anyone to click on a link, as is the case with the infamous Pegasus spyware that targeted the app. All that's needed is the victim's phone number. In addition, even using two-factor authentication cannot prevent the attack, the researchers say, as reporting the phone stolen will circumnavigate that mechanism as well.