Israeli researchers recently discovered a dangerous security vulnerability in the instant messaging platform WhatsApp that allows hackers to lock users out of their accounts for up to 12 hours, fairly easily and without even knowing how to code.
"It's a type of denial-of-service attack made possible by a bug in WhatsApp," explains Tsachi Ganot, co-founder and CEO of the cybersecurity consulting firm Pandora Security that found the exploit.
"We discovered the weakness after a few people turned to us after falling victim to this type of attack," Granot says, adding that two of his company's researchers made the discovery. Pandora says it approached Facebook, which owns WhatsApp, through a number of channels, and the social media giant refused to acknowledge the problem even though it has already been exploited by bad actors.
Facebook's communications department also failed to respond to questions from Haaretz, sent together with videos showing how the hack works.
>> Do you work in Israeli hi-tech and have a story to share with us? We can promise full anonymity: Click here to send us an encrypted email
So how does it work? Astonishingly easily, for a start. The hacker uses a cellphone to which WhatsApp has been downloaded and installed, but not yet connected to the platform. The attacker will likely act during the night, when their potential victim is asleep and not actively using their mobile phone.
First, the attacker sends an email to WhatsApp customer support to report the phone stolen, providing the victim's cellphone number and claiming it as their own. The company immediately locks the account, sending the victim a warning to their phone – but, as noted above, the victim is presumably still asleep and unaware of the maneuver.
- Tech Giants Join Facebook's Battle Against Israeli Spytech Firm NSO
- Dozens of Al-Jazeera Journalists Targeted by Israeli NSO's Spyware, Watchdog Says
- Leading Mexican Journalist Targeted by Israeli NSO's Spyware
Next, using the cellphone to which WhatsApp has been installed, the attacker will now try to connect to the app using the victim’s number. They punch in the phone number of the victim's phone, and in response WhatsApp sends a six-digit verification code to the victim's phone. The attacker doesn't wait, and repeatedly types six random numbers in the field where the verification code is supposed to go. The attacker has a good chance of beating the victim to the punch because they do not wait for the actual text messages from WhatsApp and because the victim is very likely still asleep.
After the (wrong) random numbers have been punched in again and again, WhatsApp locks the account – initially for a few minutes and then for seven hours, and pretty soon the lockout reaches 12 hours. During that time, the victim has no access to their WhatsApp account. Thus, though the phone itself is not compromised, attackers can lock victims out of a potentially vital communication tool.
At the moment, any attacker, even the readers of this article, can lock the account of any user, without any intervention by the targeted user, for a very prolonged period and without any recourse by the victim.
It must be stressed that for this type of attack, there's no need for the hacker to convince anyone to click on a link, as is the case with the infamous Pegasus spyware that targeted the app. All that's needed is the victim's phone number. In addition, even using two-factor authentication cannot prevent the attack, the researchers say, as reporting the phone stolen will circumnavigate that mechanism as well.
Despite its seemingly limited function, this type of attack may actually pose a great danger: For example, it can be used as the first strike in what's known as a "social engineering" attack. In such an attack, hackers lock the victim out of the platform, and a few hours later calls from what seems to be a U.S. phone number and poses as a WhatsApp employee. The attacker tells the victim they identified an attack on their account and can help them recover control over it, but in fact they will "steal" the account, for example, by sending in a link that will instal a nefarious program on their phone.
A different scenario for how this hack could have serious effects is, for example, using it against a cabinet minister or defense official during a terror attack, locking them out of a key communication tool just at the time they are most needed.
"As part of our service of developing protection for private accounts, we need an in-depth understanding of the mechanisms that platforms like these built into their products in order to help the user to recover the compromised account. That's how we came across this vulnerability. In essence, this exploit is the result of a security feature that apparently wasn't thoroughly thought out," says Ganot.
Pandora is a boutique firm, tailoring digital security environments for what it's website calls "high-profile individuals."