WhatsApp hack could let people steal messages, as users urged to take precautions to protect themselves

Andrew Griffin
Monday 30 November 2020 06:00 EST
Comments
(AFP via Getty Images)

Your support helps us to tell the story

This election is still a dead heat, according to most polls. In a fight with such wafer-thin margins, we need reporters on the ground talking to the people Trump and Harris are courting. Your support allows us to keep sending journalists to the story.

The Independent is trusted by 27 million Americans from across the entire political spectrum every month. Unlike many other quality news outlets, we choose not to lock you out of our reporting and analysis with paywalls. But quality journalism must still be paid for.

Help us keep bring these critical stories to light. Your support makes all the difference.

A dangerous WhatsApp hack could allow access to all of a users' messages, and then use their account to steal other people's private conversations too.

The attack allows hackers to pose as a friend and get access to a person's account. If an account is lost in that way, the hacker can then use that to attack other people, meaning that being hit by the attack could hurt not only yourself but other people in your contacts.

It uses a simple but powerful way to gain access to various accounts. But protecting against it is fairly simple: never give out the six-digit "verification code" that WhatsApp will send you when someone tries to get into your account, and you can set up two-factor authentication to be absolutely sure.

The hack begins when an attacker gets access to another WhatsApp account, which will have you listed as a contact. They will then send you messages that look like they are coming from that person, and may appear normal.

At around the same time, however, you may receive a text containing the six-digit code that WhatsApp asks you to input whenever you try to log in or make changes to an account. That is happening because the attacker is secretly trying to convert all of the people in the original person’s contact list into a WhatsApp business account.

The two parts of the attack then join up: the person pretending to be your friend will suggest that they sent the six-digit code to the wrong account, and ask you to help them out by sending the code over.

If you do, the attack is successful, since the person gains access to your account, and you lose it. At that point, your account will become another way for the hacker to gain access to more accounts, as your friends receive messages that appear to be from you.

The simplest way of protecting against this problem is not to pass on the six-digit code. Without that, WhatsApp’s security tools should mean that people can’t get into your account.

It is never advisable to pass on one of those codes to anyone else, under any circumstances. But the nature of the hack might make it seem innocent in this case, given that the message does appear to be coming from a friend.

Other attacks in the past have attempted to do much the same, but the messages asking for the code have usually come from someone posing as the “WhatsApp Technical Team” or similar. What makes this attack so potentially damaging is that the message may appear to be from a friend.

But there is no way for any request like that to be legitimate: users can’t really send the code to the wrong number, and if they did then they could just ask for it to be sent again. So any time anyone asks for it, it is best to refuse, and to take any further steps required to report what is likely a hack.

It is also advisable to turn on two-step verification, which gives extra protection to an account. That  locks down accounts with a six-digit PIN, one that only you have access to, and is separate to the one that is sent as a text to a phone number – without that, nobody will be able to get in.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in