Hackers Exploit WhatsApp, Target Far-right Jerusalem Official

Israeli researchers discovered a way to lock you out of your WhatsApp. Facebook failed to address the issue. Now its being used

Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
Aryeh King, the right-wing deputy mayor of Jerusalem, did not fall for the attempt to break into his phone, attributed to Malaysian hackers
Aryeh King, the right-wing deputy mayor of Jerusalem, did not fall for the attempt to break into his phone, attributed to Malaysian hackers Credit: Olivier Fitoussi
Amitai Ziv

Islamists hackers made use of a known exploit to try to hack the phone of a far-right Jewish official who serves as Jerusalem’s deputy mayor, highlighting the risks of the technique which allows anyone to block a victim out of the popular WhatsApp messaging service.

According to a video posted to an Israeli cybersecurity group, suspected hackers can be seen making multiple attempts to log into Aryeh King’s WhatsApp using his phone number, and then multiple additional attempts to fill in the verification code the app sends users in such cases. 

The goal of the attack, which the firebrand politician did not fall far, was double - both to lock King out of his account and to take control of the phone’s WhatsApp. It thus reveals how nefarious actors can easily exploit the messaging app to lock victims out of their own phones.

Screen capture of video showing attempt to hack King's phone using a known exploitCredit:

The exploit was revealed last year by Tsachi Ganot, co-founder and CEO of the cybersecurity consulting firm Pandora Security. The firm as well as Haaretz informed Facebook, which owns WhatsApp, about it but the social media giant has failed to act and the technique can still be used.

The hack is astonishingly easily: The hacker uses a cellphone to which WhatsApp has been downloaded and installed, but not yet connected to the platform. They then sends an email to WhatsApp customer support to report the phone stolen, providing the victim's cellphone number and claiming it as their own. 

>> Do you work in Israeli hi-tech and have a story to share with us? We can promise full anonymity: Click here to send us an encrypted email

The company immediately locks the account, sending the victim a warning to their phone. Next, using the cellphone to which WhatsApp has been installed, the attacker will now try to connect to the app using the victim’s number. They punch in the phone number of the victim's phone, and in response WhatsApp sends a six-digit verification code to the victim's phone. 

King confirmed to Haaretz that the attackers tried to get him to transfer the verification code he received ,thus allowing them full control of his account. King, however, did not heed their demand. 

All hackers need to do is report your phone stolen and then fill in the wrong code enough times to get you locked out of your account - all without you even knowing

After the (wrong) random numbers have been punched in again and again, WhatsApp locks the account – initially for a few minutes and then for seven hours, and pretty soon the lockout reaches 12 hours. During that time, the victim has no access to their WhatsApp account. Thus, though the phone itself is not compromised, attackers can lock victims out of a potentially vital communication tool. 

It must be stressed that for this type of attack, there's no need for the hacker to convince anyone to click on a link, as is the case with the infamous Pegasus spyware that targeted the app. All that's needed is the victim's phone number. In addition, even using two-factor authentication cannot prevent the attack, the researchers say, as reporting the phone stolen will circumnavigate that mechanism as well. 

Comments