The popular messaging platform WhatsApp introduced a new security feature that fixes a security flaw, which if exploited, could allow an attacker to overtake victim’s account, in order to to so attacker needs the victim’s phone number and some skills.
The attack does not exploit any vulnerability in WhatsApp; instead, it relies on the way the account setup mechanism works.
How attacker hacks any WhatsApp account:
As we all know WhatsApp allows users to sign up to the app using their phone number, so if an attacker wants to overtake any WhatsApp account, they would require an OTP (One time password) send to the phone number linked with any WhatsApp account.
The attacker can get this OTP by diverting the SMS containing the passcode to their own computer or phone using either a malicious app or SS7 vulnerability, and then log into the victim’s Whats-App account. The attack even works in case the phone is locked.
What’s new in WhatsApp security:
In August this year, Iranian state-sponsored hackers reportedly hijacked over dozens of Telegram accounts of activists and journalists by exploiting a similar loophole. At that time, as reported by many professionals that such attack could also be used against any messaging app, including Whatsapp and Viber, whose registration is based upon SMS-based verification mechanism.
In order to fix this issue, WhatsApp has now introduced Two-Step Verification (2SV) password feature for its Beta version for Android, this will help lock down the WhatsApp set-up mechanism.
In other words, to reconfigure the Whats-App account with two-step verification enabled, one must require not just OTP but also a 6-digit 2SV passcode set by the user.
How to Enable Two-Step Verification WhatsApp:
To enable two-step verification (2SV), you need to sign in for the WhatsApp’s Beta version, and follow these simple steps:
- Go to WhatsApp Settings → Account → Two-step verification.
- Click enable, set a 6-digit passcode and re-confirm it.
- On next screen, enter your email ID (optional) to enable passcode recovery via email. (It’s recommended to use email as backup so that you’re not locked out of your account if you forget your passcode.)
- Hit “Done, ” and you are all set to go.So, next time when you reconfigure your WhatsApp account on your new phone or want to add a new phone number to your account, the messaging app will require you to enter and confirm this six-digit secret code.Providing your email address is optional, which if enabled, will help you reset your passcode when you forget it. Here’s what WhatsApp explained about email option:
“We do not verify this email address to confirm its accuracy. We highly recommend you provide an accurate email address so that you are not locked out of your account if you forget your passcode. If you receive an email to disable two-step verification but did not request this, do not click on the link. Someone could be attempting to verify your phone number on Whats-App.”
But what if you forget the passcode after setting it months ago?For helping you remember your 2SV passcode, Whats App will periodically ask you to enter your passcode, and there is no option to opt out of this without disabling the 2SV feature.
For now, the feature is available only on Whats App beta version, and the company will start rolling out two-step verification with the release of a stable version for both the iOS and Android for over 1 Billion users in the coming weeks.
To enjoy two-step verification, you can sign up to become a beta tester and update to Whats App (Beta) version 2.16.346 straight from the Google Play Store.
Once signed up, your smartphone will be automatically updated to the Whats App Beta version in the next app update cycle.