Phone numbers are a limited resource. So when one exits a service, there is a good chance that telecom companies will reuse it for a new phone plan. It can be a big problem on WhatsApp. In some cases, if you get hold of a phone number that was linked to an existing WhatsApp account, you can hijack it and assume the users identity, including their name and profile picture. You will get all theirs incoming messages and access their group chats. There is no way for other people to know that you are a fraud. WhatsApp has known about this issue for years, but that’s it no fixes in sight unless you take proactive steps to protect yourself.
“It’s a massive breach of privacy,” Eric saidwho asked us to withhold his last Name. Erik should know, because he works on privacy issues at a large tech company—and because his son accidentally took over someone else’s WhatsApp account a few months ago.
Eric son Ugo lived in Switzerland, but got a new job and moved to France in October 2022. There, Jeff got a new phone subscription and finally opened WhatsApp. He used the app’s built-in feature to switch to his new number. But when he entered his new French digits, something strange happened.
“As soon as he changed his phone number, his WhatsApp profile picture changed to a woman’s and a bunch of conversations started popping up on his app,” Eric so. “He realized his account had been merged with someone else’s. My son received all incoming messages, even calls about work. He started talking to this person’s grandmother and other people to tell them what happened.”
Does that sound surprising? It didn’t What’s up.
Since Erik working at a technology company, he knows what to do with a serious security problem. When contacted WhatsApp through the company’s error detection program. When WhatsApp came back to him, onen employee indicated the company knew about the problem, brushed him off and closed the ticket.
G/O Media may receive a commission
“I couldn’t understand how Meta (WhatsApp’s parent company) could be so dismissive of such a big problem,” Eric so. Alarmed by the lack of response, he decided to reach out to the press, but not before letting WhatsApp do it. He go the company three months to respond.
To be clear, this does not give you access to another user’s message history, only messages sent to them after you have taken over the account. But there is a big problem. Not only could this happen accidentally, but the experts Gizmodo spoke to agreed that this leaves WhatsApp users vulnerable to a SIM swapping attack, where a hacker tricks a phone company into transferringcall them a victim’s phone number.
Erik assumed this was onein-one-million mistakes. People change phone numbers all the time. But then he went to test the account takeover himself. He bought two prepaid SIM cards and was able to reproduce the problem within minutes.
WhatsApp’s ranswer: New phone, who is it?
It turns out to be Ugo’s number changer is not news for WhatsApp – because it was news three years ago. The same thing happened to Joseph Cox, a wise man cybersecurity reporter, who wrote about the problem in 2020. It seems that very little has changed since then.
Essentially, WhatsApp said the problem is the fault of phone companies and users who do not take recommended safety measures. “We take many steps to prevent people from receiving unwanted messages, including expiring accounts after a period of sustained inactivity,” a WhatsApp spokesperson said. “In the extremely rare circumstances where mobile operators quickly resell phone lines faster than usual, these extra layers help keep accounts safe.”
Stressing that WhatsApp does not store copies of user messages, the spokesperson said that this issue is not a bug or a bug in WhatsApp, likening it to the problem of getting someone else’s mail when you move to a new house.
If you get a new phone number, WhatsApp recommends that you change the number associated with your account immediately, or delete your account if you no longer want to use it. WhatsApp also strongly encourages everyone to set up two-factor authentication, which User a PIN instead of text messages. All these measures should protect you against an account takeover.
“WhatsApp is so big that there is a good chance that any phone number you get will have been used on WhatsApp at some point. Even if it’s a 1% chance, at their scale that would be a lot of people, said Cooper Quintin, a security expert and senior technologist at the Electronic Frontier Foundation.
“I don’t think WhatsApp is flawless, but there are a number of imperfect systems and imperfect solutions here,” Quintin said. First, phone companies should wait longer before recycling phone numbers, he said.
WhatsApp requires all users to turn on two-factor authentication would entail a trade-off between security and user-friendliness. It is not entirely clear what is the right move. In the same way is the app could adopt usernames instead of phone numbers, which are permanent. Gmail, by comparison, never reuses email addresses under any circumstances. But there is also a trade-off. Phone numbers are part of what makes WhatsApp so popular and easy to use.
“WhatsApp needs to have more of a process to make sure people know their messages are going to the right person,” said Patrick Jackson, chief technology officer at security company Disconnect and a former wireless and mobile security researcher for the NSA. Jackson said it’s a big mistake for WhatsApp to assign another account’s profile picture when you use the “new phone number” feature in the app. “It’s a clear signal that it’s another account, it doesn’t make sense,” he said.
Similarly, Jackson said it’s probably not a good idea to automatically merge existing accounts’ group chats. WhatsApp can also send a message to people telling them that a phone number is registered on a new device to make sure nothing goes wrong. “It shouldn’t be so easy to masquerade as another person,” Jackson said. “This is a complex problem, but it’s one WhatsApp can work on, and they should.”
How tuprotect your WhatsApp account
First, if you’re not using two-factor authentication, what are you doing with your life? This is an easy way to protect yourself, and you’re a sitting duck if you don’t turn it on. Don’t stop with WhatsApp either, you should use two-factor authentication wherever it’s available.
To sit up two-factor authentication: Open WhatsApp and tap Settings > Account > Two-step verification > Choose a six-digit pin. WhatsApp will ask for this pin periodically, so make sure you have a way to remember it.
On the account page you can also change your phone number, which you should do as soon as possible if you get a new one. Or, if you’re done with the app for good, you can use the “Delete My Account” process from the same menu.