Taking over WhatsApp accounts by reading voicemails
When designing authentication systems, it’s common practice to implement backup mechanisms so users can easily regain access to their accounts. For instance, a typical approach provides a user with the option to receive a Time-based One-Time Password (TOTP) over SMS or email. This hinges on the assumption that the user is the only actor with access to the code that was delivered. In this post, I discuss how I was able to hijack WhatsApp accounts by exploiting a seemingly overlooked weak point — voicemail.
The investigation is centered on a vulnerability related to the Personal Identification Number (PIN) required for authenticating WhatsApp’s account backup feature. I describe how this PIN could be compromised through a voice call backup delivery method, forcing the call to go voicemail, and spoofing the victims phone number to read their voicemail.
Vulnerability Requirements
Before moving forward, I would like to highlight that this exploit only worked on users that (1) did not have two-factor authentication (2FA) set up on their WhatsApp account, and (2) had a voicemail that (3) did not have a PIN and (4) was remotely accessible when the origin number is the same as the destination number. I’ve included some thoughts on these points below.
Notes on WhatsApp 2FA
One of the key components of online security is 2FA, a secondary layer of protection that helps safeguard accounts from unauthorized access. However, WhatsApp, like many other platforms, does not enable 2FA by default. This means that users must actively enable this security feature to protect their accounts effectively.
Notes on Voicemail Security
Voicemail default settings and remote accessibility are dependent on your voice provider. In some cases your default PIN can be the last 4 digits of your phone number, a number used across all voicemails managed by your provider like “1234”, or it can be random. For more details on voicemail security and how you can minimize your risk please check the FCC’s article on Voicemail Hacking.
Exploitation Steps
The attack scenario revolves around a series of carefully orchestrated steps. The crux of this vulnerability lies in the fact that WhatsApp verification codes did not require user interaction and are automatically saved to the victim’s voicemail.
The diagram illustrates the series of steps I took to hijack my own WhatsApp account. After the diagram I provide more detail into how I carried out the attack.
Figure 1.WhatsApp Account Takeover (ATO) Overview
Step 1: Initiating the Attack
The attacker begins by requesting a verification code to the victim’s phone number. This will send the code to the victim’s phone number over SMS.
Figure 2. WhatsApp will send a verification code to the victim’s phone number
Step 2: Phone Call Delivery
Following the SMS, the attacker takes advantage of the phone call delivery method to send another verification code to the victim. Importantly, this option only becomes available after the initial SMS is sent. In the screenshot below its the 3rd option from the top.
Figure 3. You can force WhatsApp to send a verification code to the victim’s voicemail
Figure 4. WhatsApp verification codes did not require user interaction and will be saved to the victim’s voicemail
Step 3: Accessing the Victim’s Voicemail
For the attack to succeed, the verification code must land in the victim’s voicemail inbox. Now, the attacker must impersonate the victim by placing a call from the victim’s number. The objective is to spoof their identity and gain access to the victim’s voicemail. For more details on how an attacker could spoof their number please see How Easy Is It to Spoof a Caller ID? by Andrew Swoboda of Tripwire.
Responsible Disclosure
I initially tried to report this vulnerability through Meta’s bug bounty but was unable to do so because I closed my Facebook account years ago and I wasn’t able to create a new one with the same phone number.
Eventually I was able to get this in front of Meta’s security team. WhatsApp remediated this issue by requiring human interaction before providing the code, which in turn helps ensure codes aren’t leaked to voicemails.
Further Reading
I knew about this attack vector because I had read this blog on compromising Netflix accounts which led me to this blog by Shubham Shah.
While I was conducting this research I learned that I was not the first person to identify this vulnerability. A close friend shared this blog from MalwareBytes Labs that highlights the same vulnerability.
UPDATE: After publishing this blog I got hitup by Martin Vigo who shared some of the work he did in 2018 that also highlighted this ATO vector in WhatsApp accounts. You can read more about that here on his blog.
Conclusion
In summary, the investigation revealed a weakness in WhatsApp’s account backup code delivery, allowing potential account hijacking through voicemail exploitation. Attackers could compromise accounts lacking two-factor authentication (2FA) and those with remotely accessible voicemails without a PIN.
The responsible disclosure process faced challenges but ultimately led to Meta addressing the issue by introducing a requirement for human interaction before providing verification codes, a crucial step in preventing code leakage to voicemails.
As the investigation unfolded, it became evident that this vulnerability was not an isolated discovery. Other researchers, such as Shubham Shah and MalwareBytes Labs, had previously highlighted similar weaknesses, emphasizing the ongoing need for vigilance in addressing and mitigating such threats.
