WhatsApp hack could let people steal messages, as users urged to take precautions to protect themselves

Andrew Griffin
Monday 30 November 2020 11:00 GMT
Comments
(AFP via Getty Images)
Leer en Español

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A dangerous WhatsApp hack could allow access to all of a users' messages, and then use their account to steal other people's private conversations too.

The attack allows hackers to pose as a friend and get access to a person's account. If an account is lost in that way, the hacker can then use that to attack other people, meaning that being hit by the attack could hurt not only yourself but other people in your contacts.

It uses a simple but powerful way to gain access to various accounts. But protecting against it is fairly simple: never give out the six-digit "verification code" that WhatsApp will send you when someone tries to get into your account, and you can set up two-factor authentication to be absolutely sure.

The hack begins when an attacker gets access to another WhatsApp account, which will have you listed as a contact. They will then send you messages that look like they are coming from that person, and may appear normal.

At around the same time, however, you may receive a text containing the six-digit code that WhatsApp asks you to input whenever you try to log in or make changes to an account. That is happening because the attacker is secretly trying to convert all of the people in the original person’s contact list into a WhatsApp business account.

The two parts of the attack then join up: the person pretending to be your friend will suggest that they sent the six-digit code to the wrong account, and ask you to help them out by sending the code over.

If you do, the attack is successful, since the person gains access to your account, and you lose it. At that point, your account will become another way for the hacker to gain access to more accounts, as your friends receive messages that appear to be from you.

The simplest way of protecting against this problem is not to pass on the six-digit code. Without that, WhatsApp’s security tools should mean that people can’t get into your account.

It is never advisable to pass on one of those codes to anyone else, under any circumstances. But the nature of the hack might make it seem innocent in this case, given that the message does appear to be coming from a friend.

Other attacks in the past have attempted to do much the same, but the messages asking for the code have usually come from someone posing as the “WhatsApp Technical Team” or similar. What makes this attack so potentially damaging is that the message may appear to be from a friend.

But there is no way for any request like that to be legitimate: users can’t really send the code to the wrong number, and if they did then they could just ask for it to be sent again. So any time anyone asks for it, it is best to refuse, and to take any further steps required to report what is likely a hack.

It is also advisable to turn on two-step verification, which gives extra protection to an account. That  locks down accounts with a six-digit PIN, one that only you have access to, and is separate to the one that is sent as a text to a phone number – without that, nobody will be able to get in.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in