Photo: Eliseu Geisler / Shutterstock.com (Shutterstock)
Phone numbers are a finite resource. So if a service is discontinued, there’s a good chance telcos will repurpose it for a new phone plan. This can be a big problem with WhatsApp. In some cases, if you get your hands on a phone number that was associated with an existing WhatsApp account, you can hijack it and impersonate the user, including their name and profile photo. You will receive all their incoming messages and get access to their group chats. There is no way for other people to know that you are a scammer. WhatsApp has known about this problem for years, but there are no solutions in sight unless you take proactive steps to protect yourself.
“This is a massive invasion of privacy,” said Eric, who asked that we withhold his last name. Eric needs to know because he works on privacy issues at a big tech company — and because his son accidentally took over someone else’s WhatsApp account a few months ago.
Eric’s son Ugo lived in Switzerland but got a new job and moved to France in October 2022. There, Jeff got a new phone plan and eventually opened up WhatsApp. He used the app’s built-in feature to switch to his new number. But as he typed in his new French numerals, something strange happened.
“As soon as he changed his phone number, his WhatsApp profile picture changed to a photo of a woman and a number of conversations popped up on his app,” Eric said. “He found his account had been merged with someone else’s. My son received all of her incoming messages, even conversations about work. He started talking to that person’s grandmother and other people to tell them what happened.”
Sound surprising? It wasn’t for WhatsApp.
Because Eric works in a technology company, he knows what to do when there is a serious security issue. When WhatsApp has been contacted through the company’s error disclosure program. When WhatsApp got back to him, an employee indicated that the company was aware of the problem, brushed him off and closed the ticket.
G/O Media may receive a commission
“I couldn’t understand how Meta [WhatsApp’s parent company] could treat such a big issue so lightly,” said Eric. Alarmed by the careless response, he decided to contact the press, but not before allowing WhatsApp he would. He gave the company three months to respond.
To be clear, this doesn’t give you access to another user’s message history, only messages sent to them after you take over the account. But it’s a big problem. Not only can this happen accidentally, but experts Gizmodo spoke to agreed that it leaves WhatsApp users vulnerable to a SIM-swapping attack, in which a hacker tricks a phone company into giving them a victim’s phone number transferred to.
Eric assumed this was a mistake one in a million. After all, people keep changing their phone numbers. But then he went there himself to test the account takeover. He bought two prepaid SIM cards and was able to reproduce the problem within minutes.
Response from WhatsApp: New phone, who that?
It turns out that Ugo’s number change is nothing new for WhatsApp – because it was new three years ago. The exact same thing happened to Joseph Cox, a Vice cybersecurity reporter who wrote about the issue in 2020. It seems that very little has changed since then.
Essentially, WhatsApp said the problem is the fault of phone companies and users who aren’t taking recommended security precautions. “We take many steps to prevent people from receiving unwanted messages, including expiring accounts after a period of prolonged inactivity,” said a WhatsApp spokesperson. “In the extremely rare instances where mobile operators are reselling phone lines faster than usual, these extra layers help protect accounts.”
Stressing that WhatsApp doesn’t keep copies of user messages, the spokesperson said this issue isn’t a bug or bug in WhatsApp, likening the issue to getting someone else’s mail when you move to a new house.
If you get a new phone number, WhatsApp recommends changing the number associated with your account immediately, or deleting your account if you no longer wish to use it. WhatsApp also strongly recommends everyone to set up two-factor authentication, which uses a PIN code instead of text messages. All of these measures are designed to protect you from account takeover.
“WhatsApp is so big that chances are every phone number you get has been used on WhatsApp at some point. Even if there’s a 1% chance, there will be a lot of people their size,” said Cooper Quintin, security researcher and senior staff technologist at the Electronic Frontier Foundation.
“I don’t think WhatsApp is blameless, but there are a number of imperfect systems and imperfect solutions here,” Quintin said. For one, phone companies should wait longer before recycling phone numbers, he said.
WhatsApp requiring all users to enable two-factor authentication would mean a compromise between security and usability. It’s not entirely clear what the right move is. Likewise, the app could adopt usernames instead of phone numbers, which are fickle. In comparison, Gmail does not reuse email addresses under any circumstances. But even that is a compromise. Phone numbers are part of what makes WhatsApp so popular and easy to use.
“WhatsApp needs to have a stronger process to make sure people know their messages are going to the right person,” said Patrick Jackson, chief technology officer at security firm Disconnect and a former wireless and mobile security researcher for the NSA. Jackson said it’s a big mistake by WhatsApp to assign another account’s profile photo when you use the New Phone Number feature in the app. “This is a clear signal that this is a different account, it doesn’t make any sense,” he said.
Likewise, Jackson said it probably wouldn’t be a good idea to automatically merge existing accounts’ group chats. WhatsApp could also send a message to people, letting them know that a phone number has been registered on a new device, to make sure nothing goes wrong. “It shouldn’t be that easy to impersonate someone else,” Jackson said. “This is a complex issue, but it’s one that WhatsApp can and should work on.”
How to protect your WhatsApp account
First off, if you’re not using two-factor authentication, what are you doing with your life? This is an easy way to protect yourself and you’ll be on the run if you don’t turn it on. Don’t stop at WhatsApp either, you should use two-factor authentication wherever available.
To set up two-factor authentication: Open WhatsApp and tap Settings > Account > Two-Step Verification > Select a six-digit PIN. WhatsApp asks for this PIN regularly, so make sure you can remember it.
You can also change your phone number on the account page, which you should do as soon as possible if you get a new one. Or, when you’re finally done with the app, you can use the “Delete My Account” operation from the same menu.
