WhatsApp – Simple Hack (Verifying your phone number in WhatsApp)

While I was travelling outside UK and I was force to use a second cell phone, thus in order to use my what’app application I had to re-authenticate with What’App server. Instead of switching back and forth sim cards which I thought it was a bit of hassle (feeling a bit lazy), I was curious to discover to test the What’App verification process and how robust it was. I tried to find a quick way to hack through the automatic validation of my phone number and the current device using it.

How the verification process works?

Since your mobile number is used as a unique identifier (eg. username) for using the service, it is most preferable to keep the same number for your friends and acquaintances to contact you.

Photo : REUTERS/Dado Ruvic

Photo : REUTERS/Dado Ruvic

 

It simply works by sending an sms message with a 6-digit temporary code on the user’s cellphone in the following form: “WhatsApp Code 123-456”

The process is automated which actually means the android application does not allow the user to enter the code manually but it detects it as it arrives in your inbox.

Screenshot Step 1

WhatsApp – Mobile Number Verification Step

I typed my UK number and I received the secret passcode on a different device. By forwarding the message on my temporary phone, the WhatsApp application recognised the code and allowed me to use the service with my UK number.

According to the official WhatsApp guide verification should time out in 10 minutes, however testing the security mechanism after that time window was still successful.

  • Is your SMS service really slow? If it took a while to receive the test SMS you sent from your phone, retry verification and wait for the progress bar to finish. This may take up to 10 minutes, so please be patient.
  • If the timer runs out and verification fails, an option should appear to request a phone call.

Conclusion

The security controls were merely established to verify that the handset is associated with that specific phone number you have declared in the first steps of an account registration. By bypassing the security check, I succeeded to login to my account without actually receiving the authentic passcode from WhatApp server. Moreover this is a clear sign that an adversary could possibly bruteforce the device by sending multiple sms messages until he manages to gain unauthorised entry.

 

References: