Rahul Sasi, founder and CEO of digital risk protection company CloudSEK, announced that he has discovered that an attacker using the automatic call forwarding offered by some mobile services and the option to send a one-time password (OTP) verification code via voice call can hijack almost any WhatsApp account. .
To successfully carry out the attack, the hacker must first convince the victim to call a number that starts with the Human-Machine Interface (MMI) code. This number is usually set by the mobile operator and is used to enable call forwarding.
The number usually begins with a star or square symbol. These codes are readily available and most major mobile network operators support them.
Calling this number forwards all future calls to the attacker’s endpoint. After that, the process becomes relatively easy as the attacker can initiate the WhatsApp registration process on their device and get the OTP via voice call.
BleepingComputer who tested it says it generally works, with a few caveats. First, the attacker needs to trick the victim into using an MMI code that forwards all calls, not just busy calls. Next, they need to make sure that the victim has been busy long enough to miss the text message that WhatsApp has been saved on another device. Also, if the victim has already enabled call forwarding, attackers should use a different phone number, which is “a minor inconvenience that may require further social engineering.” The publication confirmed that the method works on Verizon and Vodafone.
28446
