The Israel National Cyber Directorate warned Tuesday of a security loophole in the popular instant messaging application WhatsApp, which can allow attackers to take over users’ personal accounts.
The Directorate, a unit belonging to the Prime Minister’s Office, said in a statement that “a number” of Israelis reported to it that their accounts were compromised.
It didn’t detail the scope of the hacking, the damage caused, or the method used by the attackers.
But it did mention a hacking technique used in the past and detailed ways to block it, possibly hinting that the attackers took over the WhatsApp accounts through the victims’ voicemail.
The technique doesn’t require technical knowledge and relies on the fact that most people don’t change the default voicemail password on their phones. A voicemail message can be used as one of the verification methods for WhatsApp accounts.
Attackers call their victims at a time they are unlikely to answer, type in common default voicemail passwords such as 0000 or 1234, and can then obtain their WhatsApp verification code and take over the account.
To prevent that, the Cyber Directorate recommended that users change their voicemail password or cancel their voicemail entirely if they never use it. It also said users should activate WhatsApp’s two-stage verification option, which would then require an additional form of verification before taking over the account.