It turns out that it is possible to take over someone’s WhatsApp account by convincing the victim to enter a specific code on his or her phone.
The trick isn’t easy, but it’s also not impossible for experienced manipulators. The concept is to convince a victim to forward their phone calls to another number. Once that happens, the perpetrator can request a one-time password for verification via a telephone conversation, in order to take over the account.
The practice is disclosed by Rahul Sasi, CEO of security firm CloudSEK. Security website Bleeping Computer was able to test the practice and considers it not easy to implement but feasible with some effort.
In practice, you as a victim are called and convinced to enter a code on your phone. In practice, this is an MMI code that starts with a * or #, which gives the command to forward your telephone calls to another number. The exact code may vary from country to country or operator to operator.
Once that happens, the attacker asks Whatsapp on his device for a one-time password for your account. That code is received by (automated) telephone call. But because phone calls are forwarded, that code ends up with the attacker. With that code, your WhatsApp account on your own device is closed and transferred to the attacker’s device.
Bleeping Computer was able to successfully test the practice. The site nuances that as an attacker you must know the correct code, and that the victim will also receive a notification that telephone calls are being forwarded. The attack, therefore, does not happen without the victim noticing, but at the same time, it does not require any technical hacking skills so that the practice can be applied by a wide audience of scammers.
