About 4 days ago, both I and a member of my family were hacked at different times through a vulnerability in WhatsApp. We were suddenly logged out of our accounts, and after investigating, we realized we had been targeted.
The hacker used a clever trick to keep us locked out for as long as possible. He kept requesting verification codes repeatedly, so whenever I tried to log back in, I was told to wait 5 or even 12 hours before I could request a new code.
Thankfully, my account was protected by two-step verification (2FA), so even when the hacker got in, he couldn’t do anything. But my family member didn’t have 2FA enabled, and the hacker managed to access the account, mess around, and even started messaging people.
What I noticed during the attack:
You get automatically logged out of your account.
The hacker seems to exploit a flaw in WhatsApp Business. When I asked a friend to check my account while it was hacked, he told me it had turned into a business account same thing happened to my family member.
As soon as I recovered my account, I messaged everyone I know and begged them to activate 2FA immediately. This vulnerability is serious, and anyone could be next.
Today, I finally found a video explaining this exact issue.
And now… I’ve made my decision. I’m done with WhatsApp. I’ve delayed this choice for too long, but after what happened, enough is enough.
Goodbye WhatsApp. Goodbye Meta. I don’t need you anymore.
Also the hacker said to me when i tried to contact with him using my family hacked number, That he have like 50k list of WhatsApp numbers that joins them randomly!
I doubt it was a zero day, but rather SIM takeover as you didn’t have a PIN setup, happens a lot with telegram users.
Margarita Franklin, a Meta spokesperson has confirmed that the vulnerability was detected and patched a few weeks ago. As for the impact, Meta says it notified affected WhatsApp users, and this number was less than 200.
Meta should’ve notified you if you were one of these specifically targeted people. I doubt such “hacker” would have even replied to you
No, I’m sure I didn’t do anything, and nothing happened to my SIM card or my family’s. We haven’t received any notifications or warnings from Meta at all.
Regarding the “hacker”, I can’t say I believe or disbelieve him. He told me this, and I have a screenshot of that.
IIRC similar bug (well, what I mean is being zero-click) happened on Telegram at some point as well, the workaround at that time was to set the messenger not to auto download attachments / medias.
If the same setting is available in Whatsapp then I think people should activate them as well.
Whatsapp wouldn’t have been into this kind of issue if it removes metadata from attachments during upload stage. But I guess they are incentivized not to do so.
I don’t think it is a good idea. Instead they could limit messages from non-contacts to be text-only until the recipient “verify“ or “accept“ the conversation.
Alternatively, Whatsapp could implement message request feature, where “non-contact“ will be told to write something in the request, the recipient can either approve/ignore/block/report_and_block the sender.
Why wouldn’t it be a good idea to just have this as an option in the settings for users who want to use it? As long as it isn’t enabled by default, I see no harm in having it as an option. It would allow those who only have WhatsApp installed for a few people who are not available on other messengers to use it and prevent unwanted messages.