So, this is nasty new surprise for millions of iPhone users. It seems that WhatsApp has fixed the most alarming security issue plaguing its 2 billion users. But not for you—this absolutely critical new fix is Android only. Your serious problem is not going away.
The issue is the account hijacks that continue to plague users worldwide. The fact this has not yet been addressed is stunning, given the scale of the issue and the publicity it has generated. But finally, it seems there is some relief. At least for Android users.
Some of these account hijacks are stupidly simple—tricking users into WhatsApp’s forwarding six-digit SMS verification codes that are then used by attackers to transfer your WhatsApp to their own phones. They then message your contacts, pretending to be you, usually requesting money. Other attacks are more complex, such as the “account suspension hack” we warned you about in April, where anyone can block your WhatsApp account by repeatedly entering incorrect codes against your number.
The first of these issues can be prevented by setting up 2FA inside WhatsApp—Settings / Account / Two-Step Verification. This is different to the code WhatsApp sends by SMS, and it prevents any trickster from stealing your account. The second can’t be prevented unless/until WhatsApp stops automating account suspensions without checking that the request comes from an account holder.
What’s always been most annoying about this problem is that it seems so ridiculous. There is a phone number associated with your WhatsApp account, a text is sent to that number to verify a new install, but the app cannot check that the phone on which it is being installed is the one associated with that same number. Cue the hijacks.
There are clearly privacy issues with WhatsApp pulling identifying data from the device—except that it does plenty of that anyway. This isn’t Signal we’re talking about. But even the suspension attack is so basic as to be laughable. It would not be difficult to find ways to prevent what is essentially a brute force attack on your account from a third-party device in a different location.