Accidental WhatsApp account takeovers? It's a thing
Blame it on phone number recycling (yes, that's a thing, too)
A stranger may be receiving your private WhatsApp messages, and also be able to send messages to all of your contacts – if you have changed your phone number and didn't delete the WhatsApp account linked to it.
Your humble vulture heard this bizarre tale of inadvertent WhatsApp account hijacking from a reader, Eric, who told us this happened to his son, Ugo.
"This is a massive privacy violation," Eric said. "My son had long-lasting access to that person's private messages as well as group messages, both personal and work related."
The security hole stems from wireless carriers' practice of recycling former customers' phone numbers and giving them to new customers.
WhatsApp acknowledges that this can happen, but says it's extremely rare.
"We take many steps to prevent people receiving unwanted messages, including expiring accounts after a period of sustained inactivity," a WhatsApp spokesperson told The Register. "If for some reason you no longer want to use WhatsApp tied to a particular phone number, then the best thing to do is transfer it to a new phone number or delete the account within the app."
"In all cases, we strongly encourage people to use two-step verification for added security," the spokesperson continued. "In the extremely rare circumstances where mobile operators quickly re-sell phone lines faster than usual, these additional layers help keep accounts safe."
It's not a widespread problem, at least not yet, but a data privacy issue nonetheless, and a cautionary tale for users of any messaging service that uses mobile phone numbers as a primary form of user identification. Oh, and the WhatsApp spokesperson is spot on about two-factor verification, which everyone should use anyway.
Here's what happened.
Ugo was a long-time WhatsApp user in Switzerland with his account tied to his Swiss phone number. In October, he moved to Paris for work, got a new French phone number and a new SIM card. All the while he was using WhatsApp, which continued sending and receiving messages per usual, unaware of the phone number change.
Later that month, he changed his phone number with WhatsApp, and then things got ugly. Here's what happened, according to Eric:
His phone was immediately flooded with all the groups from a stranger, and he started receiving all the new messages that were meant for that person, whether individual or in the groups. His profile photo was also swapped for the other person's photo. Note that this person seemed to be Italian, most/all messages were in Italian… He tried to respond to these individuals and groups saying he wasn't the right person, but that was very confusing to others because to others, he appeared as the person they thought he was.
Eric disclosed the issue to WhatsApp and parent company Meta, and was told that it's a recycled phone number issue, not a WhatsApp-specific bug. "For example, if a number has a new owner and they use it to log into Facebook, it could trigger a Facebook password reset," the security team told him. "If that number is still associated with a user's Facebook account, the person who now has that number could then take over the account."
Meta admitted that "this is a concern," but told Eric that it didn't qualify as a bug for the bug bounty program. "Facebook doesn't have control over telecom providers who reissue phone numbers or with users having a phone number linked to their Facebook account that is no longer registered to them," the email said.
- WhatsApp's got your back(ups) with encryption for stored messages
- What's up with WhatsApp? Messaging platform suffers outage in the UK
- It's 2019 and a WhatsApp call can hack a phone: Zero-day exploit infects mobes with spyware
- Meta, which pays for web scraping, sues to stop web scraping
According to Eric, however, WhatsApp could take steps to mitigate the problem, like regular checking to ensure a user's phone number is correct.
"At the very least when they see that someone is requesting a phone number change (from A to B) and they see that there is an active account on phone number B that does not seem to have anything to do with the also active account attached to phone number A, challenge the account on phone number B to prove that they still own phone number B or update their number," he said.