How to ‘Hack’ Whatsapp!!

by psychoSherlock

Source: Hr.Asia

Ok, I will be honest. The title is just for you to click on the blog. It’s not an actual hack 😅. It’s more like a bug that exists in WhatsApp for almost two years. The sad part is that no one talks about it. No one simply cares about this bug, not even Whatsapp. But I promise you, this is not that silly to leave unattended.

Disclaimer: This blog is just for EDUCATIONAL AND RESEARCH PURPOSE ONLY. I am not responsible if anyone misused the information in this blog to produce any harm to anyone. I assume no liability for any damages or losses incurred as a result of using this information. Infact I advise readers to only share this blog with Ethical Researchers you trust.

Okay, I know we all love Whatsapp. I do too just like the other 2.5 Billion Whatsapp users. We all use it for our day-to-day activities. Chat with your boss, and text your girlfriends. But how would you feel if one day you woke up to find out that you were logged out of Whatsapp? Ohh!! So what? I would log back in, you say.

Well, what if you can’t? What if you can’t for the next 7 hours? You would wait 7 hours, right? Well, what if it was for 24 hours? What about a week? What about 6 months? Would you wait for 6 months to log back in? Seems a lot to me!

This bug in Whatsapp allows attackers to suspend or even ban your Whatsapp account without ever needing to access it. Using just your phone number an attacker can completely lock you out of your Whatsapp account without any prior action required by your side. Once you are locked out it is even more improbable to log back in. Whats is more surprising is that, unlike the other potential Whatsapp attacks like Trojan, which require at least a little skill and luck to achieve, this hack can be done by a 10-year-old Kid with only a phone! Even Two Factor Authentication would not stop this.

The attack goes on like this…

It’s simple. All you need to have is the victims’ phone number, a good phone, and an Email address. I am going to write the steps as one would do in a POC, just so that NOOBIE TERMUX HACKERS won’t read them. I also won’t really detail the exact steps because that would cause less harm to be done.

1. The attacker gathers the phone number of the victim.
2. The attacker installs a fresh version of Whatsapp on his phone.
3. Opening Whatsapp, the attacker is asked for a phone number, where he submits the VICTIMS phone number and then taps Next
4. On the OTP page, the attacker waits till the timer ends.
5. And when the timer ends, the attacker taps on the option: Did not receive code?
6. He would see two or three options, one to Send sms, second to Call, and third to Verify on another phone
7. The attacker taps on Send SMS. Waits for the timer to end, and then repeats the process again. He repeats this again. Notice that the timer for sms verification increases each time. He does this until the timer shows 7 hours.
8. Now the attacker taps on the Call Verification option instead of sms. He repeats this until the timer shows 3 hours.
9. Now this is the very first step. Rate limit the Whatsapp OTP API doesn’t check whether it is from the same phone or a different phone. It checks the phone number every time. So every time that VICTIM’s phone number is registered, the Rate Limiting will get triggered.

And the next step is quite funny though. It seems that technology at Whatsapp grew too much and they like to automate everything. This step is very simple yet very few people seem to think of it.

1. Attacker then writes an Email to Whatsapp, with the following content:

2. Replace {PHONE_NUMBER_HERE} with VICTIM’s phone number in International format.

3. Send, and wait for the Reply. May take 3–5 minutes.

4. If everything goes well, then you shall recieve the following reply:

Now, what happened? Whatsapp has some kind of automation such that if any email were to be received with that Subject and Content, the Whatsapp account will get deactivated from every device. And so the VICTIM is asked to log back in again.

Source: Forbes

But when the Victim tries to log back in again, thats where the catch is. He wont be able to log back in as we have already rate limited the API, so he is asked to wait for 7 hours. There is no way for the victim to get back in, not even contacting Whatsapp helps. He will have to sit out the 7 hours. Not even 2FA protected him.

The thing is, even if he waits out 7 hours the Attacker would run this process again and thus completely locking the VICTIM out.

And there is an even more nasty twist in this. If the attacker kept on doing the Rate limiting process for another cycle without sending the email, after 7 hours it will be 11 or 12 hours. And after 12 hours it appears that Whatsapp will break down. Another BUG. It will show: “Try again after -1 seconds”

Source: Forbes

If the attacker waits until now before emailing WhatsApp Support to deactivate your number, there will be no way for you to reregister WhatsApp on your phone when you are kicked out of your app. Thats it! End of the story.

Imagine the buisness impact and personal impact this might cost. While buying a new number is a great Idea, the bug is still a bug and the attacker might be able to do this again.

So whats the catch?

Well, only one. Theres a possibility that when you Send the Email, the attacker might recieve the following reply

Well, if this was the reply, then there is nothing the attacker could do. I don’t know the reason for this response. But it just happens that sometimes the reply is this. The other response happens to be occurring 2/3rd of the time. If you guys have any idea about this, do let me know.

How to protect yourself

As I said, you CANT!!

Not really, there’s two methods I would advice:

1. Don’t make Enemies
2. Don’t let your phone number be public

If you guys did find anything, do let me know.

One more thing to note is that this is not very rare case, you know attackers using this method. Infact let me talk about my own case.

I roamed around telegram groups of Termux hackers ( Script Kiddies ) and asked them to hack me if they can. I was very confident in myself. I mean why should I not be. I am a Hacker and I know security is in my own hands. But then this kid just Banned me from Whatsapp. Lol.. I was so scared back then. Fortunately he didn’t ban me forever. So I was able to log back in.

And then I searched through the web to finally land on forbes. And this seemed to be the exact way the kid did to me. Everything fitted fine.

So the point is, I got hacked. Please dont get hacked by sharing this Blog. I dont encourage you to share this. And also leave me alone if you are going to test something 🙂.

Credits

Thanks to Zakdoffman at Forbes for publishing this article. It has more detailed explaination if someone wants to study further more.

Kudos to Luis Márquez Carpintero and Ernesto Canales Pereña for discovering this issue. These researchers tried every possible way to contact Whatsapp and they simply don’t CARE!