ADVISORY ON WHATSAPP FLAW LEADS TO SHOULDER SURFING ATTACKS

Background Description:

Studies show that 80% of Bruneians use WhatsApp for businesses and sharing information via mobile devices. Due to the way that WhatsApp sends an SMS to users who login to their account on a new device, it leaves users open to account hijacking just by ‘shoulder surfing’. Someone who knows a user’s phone number can easily take over their account just by looking at the victim’s phone when it receives the 6-digit code.


Impact:

  • Anyone can gain full access to a user’s WhatsApp account using just their phone number
  • Anyone can spy on your unattended device in order to obtain WhatsApp code in SMS 

Recommendation:

  • Turn off notification preview for SMS 
  • Never leave your mobile device unattended, even if it’s password protected
  • Never share confidential information through WhatsApp 
  • Enable WhatsApp two-factor authentication
  • Backup your files regularly