back to article Accidental WhatsApp account takeovers? It's a thing

A stranger may be receiving your private WhatsApp messages, and also be able to send messages to all of your contacts – if you have changed your phone number and didn't delete the WhatsApp account linked to it. Your humble vulture heard this bizarre tale of inadvertent WhatsApp account hijacking from a reader, Eric, who told …

  1. elsergiovolador Silver badge

    He wasn't right

    He tried to respond to these individuals and groups saying he wasn't the right person

    The Italians probably replied:

    Non preoccuparti tesoro, alla fine diventerai la persona giusta

  2. This post has been deleted by its author

  3. Charlie Clark Silver badge
    Facepalm

    This shouldn't happen

    Looks like someone fucked up user management which should be exclusive: his account should have stopped working properly when he changed SIMs. This is what happens with Signal, and WhatsApp says it uses the same protocol.

    1. devin3782

      Re: This shouldn't happen

      But that signal is only the protocol (and yes an app with the same name), what you do before or after that in regards to messages and user accounts is entirely up to the developer. There's nothing to stop the whatsapp developers getting the text content from the input box encrypting one via the signal protocol to your mate and sending one to facebook.

      1. Charlie Clark Silver badge

        Re: This shouldn't happen

        Oh, definitely. The thing is, if you're going to use the phone number either as the primary key or the basis for one, you must enforce it.

        Phone numbers are pretty good candidates for primary keys as they're easy to use to set things up reasonably securely. Alternatives are possible but all of them have their own issues all essentially based around identification problems. That said, Signal is working on a replacement for phone numbers as a way of providing even better anonymity and portability.

        Personally, I don't use WhatsApp not for security reasons but for the metadata that the companies harvest to mine and sell. I know this makes me a very tiny hole in a very big jigsaw. This means I also don't have to worry about trusting them with privacy and encryption. I don't but at least I don't have to worry about it!

        1. iron

          Re: This shouldn't happen

          Phone numbers make terrible primary keys as this article very well demonstrates.

          Phone numbers are not unique, not persistent and can be writtin in a number of different ways depending on culture. Hell if its a land line its not even specific to a single person.

          As we have known since the dawn of the internet, email addresses are a much better key for user accounts. Facebook are just idiots.

          1. Orv Silver badge

            Re: This shouldn't happen

            Agreed. I also know people who are locked out of services like WhatsApp and Telegram because they have internet service, but no phone number.

          2. Grooke

            Re: This shouldn't happen

            Facebook aren't idiots. They already have you e-mail for your Facebook account so getting your phone number is more private information they can gather.

            They're assh*les, not idiots.

            1. Anonymous Coward
              Anonymous Coward

              Sorry

              Side note: Does censoring "assh*les" by blocking out just one letter like that make it any less offensive to anyone?

              (Also, now that I think about it, isn't it ironic that the symbol chosen to censor the 'o'- i.e. an asterisk- looks even *more* like a graphical representation of a literal, er... assh*le?!)

          3. Elongated Muskrat Silver badge

            Re: This shouldn't happen

            There's also a big and very real problem that isn't even mentioned in this article, which breaks both the security of using the phone number as an identifier, and with 2FA codes sent via SMS:

            SIM spoofing.

            What the article describes is an "accidental" vulnerability, but this is that vulnerability's big brother, which is actively exploited by criminals / three-letter agencies.

            If using 2FA, you should be using an authenticator app wherever possible, and not rely on SMS one-time codes.

        2. Elongated Muskrat Silver badge

          Re: This shouldn't happen

          Phone numbers aren't even a good thing to use as a candidate key which is what the article describes.

          As for using a non-contiguous range of numbers as a primary key... Do you want page fragmentation? Because that's how you get page fragmentation.If you must use something like that for an identifier, if it's a candidate key with an indexed column, at least you're only looking at page splits in that index when new records are inserted, and not at the clustered index, and the resulting updates on any non-clustered indexes to keep pointing at the right page. It's almost like there's a reason people use consecutive integers as PKs and let the database number them itself...

          Also, phone numbers can be formatted in a number of ways and must be normalised on every use if using as an identifier, which, although not computationally intensive, is a big old ball-ache if you wanted to process a large amount of data (e.g. in an import).

          For example, the UK mobile number 07123456789 could also be represented as +447123456789 or 00441234567890 or 0712 345 6789 and probably several others.

          1. moonhaus

            Re: This shouldn't happen

            "For example, the UK mobile number 07123456789 could also be represented as +447123456789 or 00441234567890 or 0712 345 6789 and probably several others."

            E164 specifies the international standard for writing, storing and dialing phone numbers. In your examples only +447123456789 would be correct. It's why mobile phones have a + key. Formatting for storage should only ever be in this format.

            Facebook and others just need to force you to enter your number in this format, or read it from the SIM.

            1. Elongated Muskrat Silver badge

              Re: This shouldn't happen

              Yes, you format it for storage. Every time a user enters a number, and every time you store that in the database, and every time you want to search, or bulk import data.

              This means validating and coercing the data into this format every time it is entered. In one way this is very little different to any other UI validation (for example NHS numbers with or without spaces), but it is common enough for numbers to be supplied in all one format, or all another, or in a mixture, that code to address the situation seems to crop up time and again.

              For example, we have one system that lets users enter a mobile number, in the 07... format, and some of this data is then fed into another system that generates and sends SMS messages, via a third-party provider, which wants it in the +44 format. I can't recall whether they want the + on the front or not, I have it in the back of my head what they actually require is 447...

              This stems from the fact that there is a "formal representation" of the number, and there is the colloquial use. In the UK, if we were calling someone, we wouldn't type +447... into our phones, we'd dial 07...

              We'd also quite often insert spaces, certainly when reading a number. For example, my own number starts with 07733, and when reading it to someone I would quote it as 07733 nnn nnn.

              In France, however, they read numbers in pairs, and would read my example above as 0 71 23 45 67 89, "zéro, cinquante-onze, vingt-trois, quarante-cinq, soixante-sept, quatre-vingt-huit" and would be likely to write it down, and enter it into any computer system that allows it as such. In the US, they like to insert dashes into numbers, and so-on.

              If you're storing the number in a database and then not actually using it for anything beyond retrieval, then you're unlikely to go to the trouble of normalising it (got a user story for that?), but if you are searching for it, you probably do want to normalise it, and also try to normalise your search terms. But what if you wanted to search for numbers that have "23 45 67" in the (including the spaces in those positions)? The seemingly simpleness of the situation belies a fair amount of complexity.

              1. Elongated Muskrat Silver badge

                Re: This shouldn't happen

                ...feel free to keep down-voting me...

                What this really comes down to is whether a phone number, in the context of a software application, is store, and treated, as a string, or as a piece of strictly formatted data.

                That, in turn, depends entirely on the problem domain the software is designed to work in, and often, in real life, those domains change, and cross over.

                You can shout until you are blue in the face that phone numbers should be normalised and strictly formatted, but if you are taking data from one system, where they have been user entered, and then normalising and transforming that data with no user interaction, you'd damn well make sure that it handles all of the following, completely and unambiguously:

                07123456789

                +447123456789

                447123456789

                00447123456789

                0447123456789 (in countries where the international dialling prefix is 0)

                01144123456789 (in countries like the US where you first dial an exit code)

                3456789 (where the prefix is implied by the software domain)

                07123 456 789

                0 71 23 45 67 89

                71 23 45 67 89

                44 71 23 45 67 89

                (07123) 456 789

                (0712) 3456 789

                (unknown)

                djfhgdsjhfgds (where the user has just typed junk into a mandatory but not validated field)

                ...and many, many more.

                Aside from all of this, the fundamental idea of using an unvalidated, possibly spoofable, possibly changeable number as a unique identifier is broken by design.

    2. elsergiovolador Silver badge

      Re: This shouldn't happen

      For what we know they could use IRCd as a backend and keep everything in plain text.

    3. Anonymous Coward
      Anonymous Coward

      Re: This shouldn't happen

      "Looks like someone fucked up user management which should be exclusive: his account should have stopped working properly when he changed SIMs. This is what happens with Signal, and WhatsApp says it uses the same protocol."

      True, Signal, which is a real E2E encrypted messaging system, use keys bound to devices. You change devices, same SIM, signal will inform everyone this user is no longer to be trusted, and the "correct" behaviour would be as it should be: to meet physically the person, and scan their new signal key, since they changed devices.

      I have no idea how it works with Telegram, as I seem to be one of the few of my gang to be using it. I suspect it is the same.

      But Whatsapp is not secure messaging system, but a social media, deal with it, Whatsapp users, soon to be paying users !

      The downside of this signal behaviour, is, when you're using it in groups containing the clueless, they tend to uninstall/re-install Signal/Telegram every month, or change mobiles phones every month, and you have one message of "untrust" for them each time. And you're of course going off the process, by instructing the app "it's all fine, trust that device".

  4. Steve Kerr

    This is an issue with these "social" media companies

    It's not a phone company problem, it's a social media company issue.

    They're binding their service to a phone number and not an account, if it was bound to an account then this wouldn't happen.

    huge copout from fakebook/whatsapp blaming someone else for their decision to bind accounts to a mobile number.

    OK, there are other issues where companies send SMS messages for 2FA too so there are more complexities to it.

    There's also a responsibility for the account owner to delete their phone numbers off of their social media.

    So it's a mix of social media companies and the people with accounts with those services.

    I would think there would be some kind of "migrating to a new number" thing in those apps, not that this wouldn't be used by identify thieves - it's a complex subject thinking more on it.

    Giving up and going for a lunch break!

    1. Version 1.0 Silver badge
      Trollface

      Re: This is an issue with these "social" media companies

      APP = All Pirates Possibilities ... what we see everyday like this problem just reminds me about our history in the last few thousand years, pirates have existed since ancient times – they threatened the trading routes around ancient Greece, and seized vast cargo from Roman ships. The most far-reaching pirates in early medieval Europe were the Vikings - so these days they have just been replaced by apps everywhere; "social" media companies are not pirates, they are just selling cannon balls, so they are making money from the pirates.

      1. Toni the terrible Bronze badge

        Re: This is an issue with these "social" media companies

        Roman Pirates got Julia Ceasered - Crucified

  5. WolfFan

    It’s not just phone numbers

    One of my (many! Hey, we’re Irish!) cousins had a problem with Arsebook and Gmail. It seems that Gmail has trouble distinguishing between fname.lname, fname,lname, fname_lname, and probably more. They all seem to resolve as fnamelname. It’s a Google thing. So… someone who had a Gmail account similar to my cousin’s account set up Arsebook, about six years after cousin got his account. I repeat, cousin had the account for years before m’man linked a Arsebook account. And cousin started getting Arsebook notifications. Lots of Arsebook notifications. Sending messages to the owner of the Arsebook account didn’t help, cousin ended up going to Arsebook and changing the password. A few days later, the notifications started again; m’man had reset his password. Cousin went into Arsebook and ‘deleted’ the account (yeah, right, Arsebook is the Hotel California, you can check out but you can never leave) which stopped the notifications… for about a week. He did it again. This time the notifications stopped. We figure that m’man changed the account info so that it stopped pointing to cousin’s account.

    One would have thought that the fact that cousin could change the password and then could ‘delete’ the account would have told m’man that perhaps all was not well, especially after messages ask him to stop, cease, and desist from spamming cousin with notifications and to, like, you know, change the account info, had been repeatedly sent. Arsebook users ain’t too bloody bright.

  6. Anonymous Coward
    Anonymous Coward

    Puts the wagatha christie case into a new light

    does it not ?

    1. TheProf
      Holmes

      Re: Puts the wagatha christie case into a new light

      You are Rebekah Vardy and I claim my £5.00

  7. moonhaus

    Facebook seem to have lost control

    "Facebook doesn't have control over telecom providers who reissue phone numbers"

    That may be true, but if so then why have Facebook effectivly handed over the security of their entire platform to "telecom providers" outside their control?

    This may be by design rather than a bug, but it's bloody stupid thing to do.

    1. the spectacularly refined chap

      Re: Facebook seem to have lost control

      When I worked in mobile telecoms it wasn't even the carrier's choice, relinquished numbers had to be returned to a central pool after a brief grace period.

      Caused no end of arguments, particularly with number changes at the customer request. Didn't matter how much you warned them, they'd be back a couple of days later...

      "No, I've changed my mind. I want my number back..."

      "Sorry, that number belongs to the government now. No, you can't have it back."

    2. captain veg Silver badge

      Re: Facebook seem to have lost control

      Of course it's by design. They want your phone number, it's PII gold dust.

      -A.

  8. mrp96

    Same thing used to (well still might do) happen with Google Workspaces. I once create an organisation workspace using a domain which turned out was once owned by someone else who had also set up a Google Workspace. This was back in the days when you could have 50 email address before you had to pay for it so I'm guessing no one bothered to clear the account up behind them.

  9. heyrick Silver badge

    this bizarre tale of inadvertent WhatsApp account hijacking

    Is it really that different to moving house, forgetting to change your address all over the place, then getting upset when a complete stranger (the new occupant) is still receiving (and presumably able to read) your post?

    Or selling a mobile phone/computer without wiping everything on it first?

    Yeah, it's annoying that companies seem to want to tie accounts to phone numbers, but if you change your number and don't update all this stuff, mea culpa etc...

    1. moonhaus

      Re: this bizarre tale of inadvertent WhatsApp account hijacking

      How do you delete a whatsapp account when your phone number's been disconnected and you need the phone number to delete it?

      Losing a phone number usually wont be by choice. Many people lose their phones and a good percentage will not have registered their prepay contact details so can't get the number back. Some people have to travel abroad at short notice so cant topup, others have a "life event" that prevents topping up or paying the bill. Some are being abused by partners or fleeing violence or natural disasters so are forced to change phones and numbers.

      Claiming the account should have been deleted to avoid being compromised is like saying you should have sold your car to prevent it being stolen.

    2. Wobblin' Pete
      Coat

      Re: this bizarre tale of inadvertent WhatsApp account hijacking

      just what i was thinking. the beauty of whasap was it was tied to your phone number - break your phone, pop the old sim into a new phone and you can have whatsap up in seconds. Ideal for idiot yoof on skateboards, and their parents wanting to contact them. Great system fro that and why it was so successful.

      So if you forget to tell your bank you have moved house it's not your bank's fault for not knowing. I used to get text messages for the previous owner of my phone number to authorise their credit card payments. No one at the bank was interested, and I had no way of contacting them. It kept happening until one day their elderly father called me in error (seems he still had their old number in his phone) and i explained to him that his daughter really should contact the bank and update her details.....

      Mines the one with MY phone in the pocket.....

      1. ilmari

        Re: this bizarre tale of inadvertent WhatsApp account hijacking

        I would've thought it would be the regular computer illiterate adult for which whatsapp was a blessing. At least in my experience with previous services like Skype, it usually went like:

        -:"I can't log on, i don't remember my password"

        - "What's your Skype username?"

        - "No idea"

        - "What email did you use to sign for Skype?"

        - "Uh..."

        - "Do you have email?"

        - "I have Google/Hotmail/Microsoft/Outlook "

        - "Oh okay let's go look in email what your Skype password is"

        - "What's my email password?"

        (And when trying to log in to email they actually accidentally go to Skype web and log in successfully and get angry I didn't immediately tell them Skype was same as email)

        Whereas with WhatsApp one can usually figure out the users's phone number without too much hassle, and the user can usually receive SMS to the phone.

    3. captain veg Silver badge

      Re: this bizarre tale of inadvertent WhatsApp account hijacking

      Postal addresses identify postboxes.

      Telephone numbers identify telephones,

      Neither identifies individuals. Conflating them is an error.

      -A.

  10. Mark White

    I can understand how they say you need to delete your account and other things to keep it safe but I wonder how members of group chats are kept.

    If they use a list of phone numbers to maintain the membership then it is unlikely deleting your account would take you out of the group.

    This just goes to show that phone number is a terrible key... one person can have more than one phone number and one phone number can belong to more than one person (hopefully at different periods of time)

    1. Korev Silver badge

      If a number is dead to WhatsApp then it eventually gets removed from the group. The issue here is when the number is given to someone else before this time elapses.

      1. Someone Else Silver badge

        If a number is dead to WhatsApp then it eventually gets removed from the group.

        For rather large, varying and indeterminate values of 'eventually'.

  11. lvm

    Eventually this will happen to all of us

    and this is not 'extremely rare' at all - we all will die.

    1. Paul Crawford Silver badge

      Re: Eventually this will happen to all of us

      Hopefully not before Arsebook and the likes die!

  12. Korev Silver badge
    FAIL

    Ugo was a long-time WhatsApp user in Switzerland with his account tied to his Swiss phone number.

    ...

    Note that this person seemed to be Italian, most/all messages were in Italian…

    They do speak Italian in Switzerland too.

    It's a beautiful part of the world (Ticino).

    1. Dan 55 Silver badge

      The new French number that Ugo got after transferring his number using WhatsApp was previously owned by an Italian speaker judging by the profile and the groups he got added to.

      Really WhatsApp should reset the profile and remove the number from any existing groups when transferring an account to a new number which was in use but hasn't been used for some time, not blame the teleco.

    2. Someone Else Silver badge

      Depending on whom you ask, they also speak German there....

      1. Stork

        For a loose definition of German

        1. skswales

          We once had a manual translated to German. Well, Swiss-German! Got a bit of flak from users in northern Germany.

  13. xyz Silver badge

    I'm off to change my phone now...

    Hope I get the ex-number of a really hot, beauty who likes to share photos on Fapbook. . :-)

    Mind you knowing my luck I'll probably get the ex-number of some kiddie fiddler... Or worse Boris Johnson.

  14. Anonymous Coward
    Anonymous Coward

    Well I never. End to end encryption is useless when the phone company can re-allocate your number or clone it.

    Altogether now. "That's not a bug, it's a feature."

  15. Norfolk N Chance

    Phone numbers

    are the thin end of the wedge - just about every online service seems to encourage an email address as a username.

    It generally works if the online service is an email provider, it might do no harm if the username is only used as a primary unique identifier, but fails painfully when it's also used as an (unverified) primary contact.

    The second and third scenarios above are not helped by individual services interpretation of unique addresses. Gmail may decide that certain variations resolve to the same account (it ignores underscores for example) yet a third party service may happily open 2 separate accounts one with underscores, one without.

    Guilty parties range from social media to government orgs, and the latter seem to be the most ardent in broadcasting personal information to patently unverified addresses.

    Coupled with many services insistence on sending from noreply email addresses, the erroneous recipient can do little to help. How many emails do you receive from such originators which have the "If you received this message by mistake, please reply to this message.. " boilerplate?

    Obligatory tenuous xkcd https://xkcd.com/970 - while it may be irritating, the sheer volume of highly personal medical email I receive (my initials are D R) would suggest that we should check our email address more rigorously rather than less.

    1. Fifth Horseman

      Re: Phone numbers

      Like the username - my pub quiz team used to be called the Norfolk Inn Good Team, until the landlord finally twigged and kicked us out. Welcome to El Reg, BTW.

      I was going to share your frustrations with certain government agencies, but realised it would turn into a rant, and it is really past Horsie's midweek bedtime. You are definitely right, though.

  16. pip25

    Been there, done that

    I got a phone from my employer for work-related purposes years ago. Soon enough, I started getting calls, from banks to complete strangers, all looking for the same lady who obviously wasn't me. At first, it felt hilarious. After the 10th call it felt annoying. I may have managed to track down the lady via social media, but my polite letter to resolve this situation went unanswered, so I guess I'll never know for sure. Thankfully the calls petered out over the years, so now only the moral remains: these days your phone number is part of your identity. Be careful with it.

    1. Potty Professor
      Devil

      Re: Been there, done that

      I keep getting phone calls from a credit card company on my landline to someone who briefly lived in the house I rent. They left at least eight years ago, and I have lost count of the times I have told Capital One that. I suppose I shall just have to keep repeating that information, despite the fact that each time they call, they say that they will remove my number from their database.

      1. pip25

        Re: Been there, done that

        Oh right, they kept telling me that, too. Maybe it's some sort of legal requirement they at least have to pretend to uphold.

      2. arachnoid2

        Re: Been there, done that

        Give them a fake new number that you are changing to..........

  17. TeeCee Gold badge
    Facepalm

    "Hijacked..."

    ...if you have changed your phone number and didn't delete the WhatsApp account linked to it.

    Well, you can't fix stupid and there's no point in trying. I'm guessing that anything he had with 2FA validation switched on was buggered as well.

    1. hayzoos
      Headmaster

      Re: "Hijacked..."

      If by 2FA you are referring to SMS, then you are incorrect for reason pointed out earlier in the comments. For all intents and porposes, using SMS for MA is about 1.00001FA not 2FA.

      1. Fred Daggy Silver badge
        Coat

        Re: "Hijacked..."

        I think that number is (in El Reg units) known as "Sweet FA".

  18. rototype

    YAMFU

    Yet Another Meta Fuck-Up

  19. jollyboyspecial

    SMS and Voice

    The new owner of a phone number would be able to send an receive SMS messages and make and receive voice calls. The issue here is not with whatsapp it's with the very idea of re-using phone numbers.

    Sensible countries don't allow the re-use of phone numbers for this very reason, but in some territories it's seen as a simple solution to the problem of running out of numbers. If you're running out of digits add digits, but the problem is more likely to be carriers who don't have a big enough pool of numbers and don't want to purchase more.

    The re-use of numbers has all sorts of potential for data protection beyond SMS, voice and whatsapp (and any other application keyed by phone number). Take for example organisations that use phone numbers against customer accounts. Ever called a company and they've known who you are when you call up? You know the sort of thing, you call up and say "hi I'm calling to add a new SIM to my account" and the agent at the other end says "I'm just bringing up your account details now". They've identified you from the phone number you are calling from. Now any company that complies with data protection laws will hopefully have proper security protocols to prevent anybody making changes, spending money or otherwise breaking the law. But if a company does that how easy would it be to get hold of somebody else's phone and start making phone calls pretending to be them? Or for a scammer to spoof CLIs when making outbound calls? Easy of course and both have been done. However if carriers re-use phone numbers that sort of thing could happen accidentally.

    1. Elongated Muskrat Silver badge

      Re: SMS and Voice

      No company I have ever dealt with has, when I have called them, said "I'm just pulling up your details" from the phone number alone. They'll pretty universally ask for your name, postcode and first line of your address, and if it's something like a bank or utility provider, they'll then ask some security questions.

  20. Randy Hudson

    > The security hole stems from wireless carriers' practice of recycling former customers' phone numbers and giving them to new customers

    No, the security hole stems from using phone numbers as the username.

    > we strongly encourage people to use two-step verification

    Seriously? Anyone with your old phone number will also receive any SMS to that number.

  21. Frogmelon

    Would seem like a no brainer to verify against a secondary key like the IMEI (unless that's able to be spoofed) or other unique key like the phone serial number, or multiple keys linked to the device. That's better than just relying on the telephone number.

    The telephone number will stay the same but the other keys will change and can be used to detect a change of device or user.

    Seems daft to just rely on the phone number being kosher.

    1. moonhaus

      The IMEI is even worse than a phone number, as people SIM swap and replace phones a lot more often than numbers. IMSI & phone number should be what you use to check a number is still on the original SIM. It looks like Facebook didn't even do that basic check though.

      But as has been said, using a phone number as an account identity is moronic.

  22. omikl

    Not just the MSISDN that gets reused

    Some territories re-use the IMSI as well.

    Every operator I have worked with re-uses MSISDNs: Usually there is a 6 month quarantine period before they are returned to a pool of free numbers for re-use.Margins, especially for pre-apid, are so razor thin that having to purchase new blocks of MSISDNs periodically from their issuing authority would probably collapse them.

  23. arachnoid2

    Spartacus

    Its a damn nuisance, I must have the number Spartacus owned as I keep getting angry messages from Roman descendants.

    Getting calls from strangers after moving to a new area has been happening ever since bell made more than two phones. It just shows that media providers care little about security and more about making excuses.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like