Accidental WhatsApp account takeovers? It's a thing A stranger may be receiving your private WhatsApp messages, and also be able to send messages to all of your contacts – if you have changed your phone number and didn't delete the WhatsApp account linked to it. Your humble vulture heard this bizarre tale of inadvertent WhatsApp account hijacking from a reader, Eric, who told …
This post has been deleted by its author
But that signal is only the protocol (and yes an app with the same name), what you do before or after that in regards to messages and user accounts is entirely up to the developer. There's nothing to stop the whatsapp developers getting the text content from the input box encrypting one via the signal protocol to your mate and sending one to facebook.
Oh, definitely. The thing is, if you're going to use the phone number either as the primary key or the basis for one, you must enforce it.
Phone numbers are pretty good candidates for primary keys as they're easy to use to set things up reasonably securely. Alternatives are possible but all of them have their own issues all essentially based around identification problems. That said, Signal is working on a replacement for phone numbers as a way of providing even better anonymity and portability.
Personally, I don't use WhatsApp not for security reasons but for the metadata that the companies harvest to mine and sell. I know this makes me a very tiny hole in a very big jigsaw. This means I also don't have to worry about trusting them with privacy and encryption. I don't but at least I don't have to worry about it!
Phone numbers make terrible primary keys as this article very well demonstrates.
Phone numbers are not unique, not persistent and can be writtin in a number of different ways depending on culture. Hell if its a land line its not even specific to a single person.
As we have known since the dawn of the internet, email addresses are a much better key for user accounts. Facebook are just idiots.
Side note: Does censoring "assh*les" by blocking out just one letter like that make it any less offensive to anyone?
(Also, now that I think about it, isn't it ironic that the symbol chosen to censor the 'o'- i.e. an asterisk- looks even *more* like a graphical representation of a literal, er... assh*le?!)
There's also a big and very real problem that isn't even mentioned in this article, which breaks both the security of using the phone number as an identifier, and with 2FA codes sent via SMS:
SIM spoofing.
What the article describes is an "accidental" vulnerability, but this is that vulnerability's big brother, which is actively exploited by criminals / three-letter agencies.
If using 2FA, you should be using an authenticator app wherever possible, and not rely on SMS one-time codes.
Phone numbers aren't even a good thing to use as a candidate key which is what the article describes.
As for using a non-contiguous range of numbers as a primary key... Do you want page fragmentation? Because that's how you get page fragmentation.If you must use something like that for an identifier, if it's a candidate key with an indexed column, at least you're only looking at page splits in that index when new records are inserted, and not at the clustered index, and the resulting updates on any non-clustered indexes to keep pointing at the right page. It's almost like there's a reason people use consecutive integers as PKs and let the database number them itself...
Also, phone numbers can be formatted in a number of ways and must be normalised on every use if using as an identifier, which, although not computationally intensive, is a big old ball-ache if you wanted to process a large amount of data (e.g. in an import).
For example, the UK mobile number 07123456789 could also be represented as +447123456789 or 00441234567890 or 0712 345 6789 and probably several others.
"For example, the UK mobile number 07123456789 could also be represented as +447123456789 or 00441234567890 or 0712 345 6789 and probably several others."
E164 specifies the international standard for writing, storing and dialing phone numbers. In your examples only +447123456789 would be correct. It's why mobile phones have a + key. Formatting for storage should only ever be in this format.
Facebook and others just need to force you to enter your number in this format, or read it from the SIM.
Yes, you format it for storage. Every time a user enters a number, and every time you store that in the database, and every time you want to search, or bulk import data.
This means validating and coercing the data into this format every time it is entered. In one way this is very little different to any other UI validation (for example NHS numbers with or without spaces), but it is common enough for numbers to be supplied in all one format, or all another, or in a mixture, that code to address the situation seems to crop up time and again.
For example, we have one system that lets users enter a mobile number, in the 07... format, and some of this data is then fed into another system that generates and sends SMS messages, via a third-party provider, which wants it in the +44 format. I can't recall whether they want the + on the front or not, I have it in the back of my head what they actually require is 447...
This stems from the fact that there is a "formal representation" of the number, and there is the colloquial use. In the UK, if we were calling someone, we wouldn't type +447... into our phones, we'd dial 07...
We'd also quite often insert spaces, certainly when reading a number. For example, my own number starts with 07733, and when reading it to someone I would quote it as 07733 nnn nnn.
In France, however, they read numbers in pairs, and would read my example above as 0 71 23 45 67 89, "zéro, cinquante-onze, vingt-trois, quarante-cinq, soixante-sept, quatre-vingt-huit" and would be likely to write it down, and enter it into any computer system that allows it as such. In the US, they like to insert dashes into numbers, and so-on.
If you're storing the number in a database and then not actually using it for anything beyond retrieval, then you're unlikely to go to the trouble of normalising it (got a user story for that?), but if you are searching for it, you probably do want to normalise it, and also try to normalise your search terms. But what if you wanted to search for numbers that have "23 45 67" in the (including the spaces in those positions)? The seemingly simpleness of the situation belies a fair amount of complexity.
...feel free to keep down-voting me...
What this really comes down to is whether a phone number, in the context of a software application, is store, and treated, as a string, or as a piece of strictly formatted data.
That, in turn, depends entirely on the problem domain the software is designed to work in, and often, in real life, those domains change, and cross over.
You can shout until you are blue in the face that phone numbers should be normalised and strictly formatted, but if you are taking data from one system, where they have been user entered, and then normalising and transforming that data with no user interaction, you'd damn well make sure that it handles all of the following, completely and unambiguously:
07123456789
+447123456789
447123456789
00447123456789
0447123456789 (in countries where the international dialling prefix is 0)
01144123456789 (in countries like the US where you first dial an exit code)
3456789 (where the prefix is implied by the software domain)
07123 456 789
0 71 23 45 67 89
71 23 45 67 89
44 71 23 45 67 89
(07123) 456 789
(0712) 3456 789
(unknown)
djfhgdsjhfgds (where the user has just typed junk into a mandatory but not validated field)
...and many, many more.
Aside from all of this, the fundamental idea of using an unvalidated, possibly spoofable, possibly changeable number as a unique identifier is broken by design.
"Looks like someone fucked up user management which should be exclusive: his account should have stopped working properly when he changed SIMs. This is what happens with Signal, and WhatsApp says it uses the same protocol."
True, Signal, which is a real E2E encrypted messaging system, use keys bound to devices. You change devices, same SIM, signal will inform everyone this user is no longer to be trusted, and the "correct" behaviour would be as it should be: to meet physically the person, and scan their new signal key, since they changed devices.
I have no idea how it works with Telegram, as I seem to be one of the few of my gang to be using it. I suspect it is the same.
But Whatsapp is not secure messaging system, but a social media, deal with it, Whatsapp users, soon to be paying users !
The downside of this signal behaviour, is, when you're using it in groups containing the clueless, they tend to uninstall/re-install Signal/Telegram every month, or change mobiles phones every month, and you have one message of "untrust" for them each time. And you're of course going off the process, by instructing the app "it's all fine, trust that device".
It's not a phone company problem, it's a social media company issue.
They're binding their service to a phone number and not an account, if it was bound to an account then this wouldn't happen.
huge copout from fakebook/whatsapp blaming someone else for their decision to bind accounts to a mobile number.
OK, there are other issues where companies send SMS messages for 2FA too so there are more complexities to it.
There's also a responsibility for the account owner to delete their phone numbers off of their social media.
So it's a mix of social media companies and the people with accounts with those services.
I would think there would be some kind of "migrating to a new number" thing in those apps, not that this wouldn't be used by identify thieves - it's a complex subject thinking more on it.
Giving up and going for a lunch break!
APP = All Pirates Possibilities ... what we see everyday like this problem just reminds me about our history in the last few thousand years, pirates have existed since ancient times – they threatened the trading routes around ancient Greece, and seized vast cargo from Roman ships. The most far-reaching pirates in early medieval Europe were the Vikings - so these days they have just been replaced by apps everywhere; "social" media companies are not pirates, they are just selling cannon balls, so they are making money from the pirates.
One of my (many! Hey, we’re Irish!) cousins had a problem with Arsebook and Gmail. It seems that Gmail has trouble distinguishing between fname.lname, fname,lname, fname_lname, and probably more. They all seem to resolve as fnamelname. It’s a Google thing. So… someone who had a Gmail account similar to my cousin’s account set up Arsebook, about six years after cousin got his account. I repeat, cousin had the account for years before m’man linked a Arsebook account. And cousin started getting Arsebook notifications. Lots of Arsebook notifications. Sending messages to the owner of the Arsebook account didn’t help, cousin ended up going to Arsebook and changing the password. A few days later, the notifications started again; m’man had reset his password. Cousin went into Arsebook and ‘deleted’ the account (yeah, right, Arsebook is the Hotel California, you can check out but you can never leave) which stopped the notifications… for about a week. He did it again. This time the notifications stopped. We figure that m’man changed the account info so that it stopped pointing to cousin’s account.
One would have thought that the fact that cousin could change the password and then could ‘delete’ the account would have told m’man that perhaps all was not well, especially after messages ask him to stop, cease, and desist from spamming cousin with notifications and to, like, you know, change the account info, had been repeatedly sent. Arsebook users ain’t too bloody bright.
"Facebook doesn't have control over telecom providers who reissue phone numbers"
That may be true, but if so then why have Facebook effectivly handed over the security of their entire platform to "telecom providers" outside their control?
This may be by design rather than a bug, but it's bloody stupid thing to do.
When I worked in mobile telecoms it wasn't even the carrier's choice, relinquished numbers had to be returned to a central pool after a brief grace period.
Caused no end of arguments, particularly with number changes at the customer request. Didn't matter how much you warned them, they'd be back a couple of days later...
"No, I've changed my mind. I want my number back..."
"Sorry, that number belongs to the government now. No, you can't have it back."
Same thing used to (well still might do) happen with Google Workspaces. I once create an organisation workspace using a domain which turned out was once owned by someone else who had also set up a Google Workspace. This was back in the days when you could have 50 email address before you had to pay for it so I'm guessing no one bothered to clear the account up behind them.
Is it really that different to moving house, forgetting to change your address all over the place, then getting upset when a complete stranger (the new occupant) is still receiving (and presumably able to read) your post?
Or selling a mobile phone/computer without wiping everything on it first?
Yeah, it's annoying that companies seem to want to tie accounts to phone numbers, but if you change your number and don't update all this stuff, mea culpa etc...
How do you delete a whatsapp account when your phone number's been disconnected and you need the phone number to delete it?
Losing a phone number usually wont be by choice. Many people lose their phones and a good percentage will not have registered their prepay contact details so can't get the number back. Some people have to travel abroad at short notice so cant topup, others have a "life event" that prevents topping up or paying the bill. Some are being abused by partners or fleeing violence or natural disasters so are forced to change phones and numbers.
Claiming the account should have been deleted to avoid being compromised is like saying you should have sold your car to prevent it being stolen.
just what i was thinking. the beauty of whasap was it was tied to your phone number - break your phone, pop the old sim into a new phone and you can have whatsap up in seconds. Ideal for idiot yoof on skateboards, and their parents wanting to contact them. Great system fro that and why it was so successful.
So if you forget to tell your bank you have moved house it's not your bank's fault for not knowing. I used to get text messages for the previous owner of my phone number to authorise their credit card payments. No one at the bank was interested, and I had no way of contacting them. It kept happening until one day their elderly father called me in error (seems he still had their old number in his phone) and i explained to him that his daughter really should contact the bank and update her details.....
Mines the one with MY phone in the pocket.....
I would've thought it would be the regular computer illiterate adult for which whatsapp was a blessing. At least in my experience with previous services like Skype, it usually went like:
-:"I can't log on, i don't remember my password"
- "What's your Skype username?"
- "No idea"
- "What email did you use to sign for Skype?"
- "Uh..."
- "Do you have email?"
- "I have Google/Hotmail/Microsoft/Outlook "
- "Oh okay let's go look in email what your Skype password is"
- "What's my email password?"
(And when trying to log in to email they actually accidentally go to Skype web and log in successfully and get angry I didn't immediately tell them Skype was same as email)
Whereas with WhatsApp one can usually figure out the users's phone number without too much hassle, and the user can usually receive SMS to the phone.
I can understand how they say you need to delete your account and other things to keep it safe but I wonder how members of group chats are kept.
If they use a list of phone numbers to maintain the membership then it is unlikely deleting your account would take you out of the group.
This just goes to show that phone number is a terrible key... one person can have more than one phone number and one phone number can belong to more than one person (hopefully at different periods of time)
The new French number that Ugo got after transferring his number using WhatsApp was previously owned by an Italian speaker judging by the profile and the groups he got added to.
Really WhatsApp should reset the profile and remove the number from any existing groups when transferring an account to a new number which was in use but hasn't been used for some time, not blame the teleco.
are the thin end of the wedge - just about every online service seems to encourage an email address as a username.
It generally works if the online service is an email provider, it might do no harm if the username is only used as a primary unique identifier, but fails painfully when it's also used as an (unverified) primary contact.
The second and third scenarios above are not helped by individual services interpretation of unique addresses. Gmail may decide that certain variations resolve to the same account (it ignores underscores for example) yet a third party service may happily open 2 separate accounts one with underscores, one without.
Guilty parties range from social media to government orgs, and the latter seem to be the most ardent in broadcasting personal information to patently unverified addresses.
Coupled with many services insistence on sending from noreply email addresses, the erroneous recipient can do little to help. How many emails do you receive from such originators which have the "If you received this message by mistake, please reply to this message.. " boilerplate?
Obligatory tenuous xkcd https://xkcd.com/970 - while it may be irritating, the sheer volume of highly personal medical email I receive (my initials are D R) would suggest that we should check our email address more rigorously rather than less.
Like the username - my pub quiz team used to be called the Norfolk Inn Good Team, until the landlord finally twigged and kicked us out. Welcome to El Reg, BTW.
I was going to share your frustrations with certain government agencies, but realised it would turn into a rant, and it is really past Horsie's midweek bedtime. You are definitely right, though.
I got a phone from my employer for work-related purposes years ago. Soon enough, I started getting calls, from banks to complete strangers, all looking for the same lady who obviously wasn't me. At first, it felt hilarious. After the 10th call it felt annoying. I may have managed to track down the lady via social media, but my polite letter to resolve this situation went unanswered, so I guess I'll never know for sure. Thankfully the calls petered out over the years, so now only the moral remains: these days your phone number is part of your identity. Be careful with it.
I keep getting phone calls from a credit card company on my landline to someone who briefly lived in the house I rent. They left at least eight years ago, and I have lost count of the times I have told Capital One that. I suppose I shall just have to keep repeating that information, despite the fact that each time they call, they say that they will remove my number from their database.
The new owner of a phone number would be able to send an receive SMS messages and make and receive voice calls. The issue here is not with whatsapp it's with the very idea of re-using phone numbers.
Sensible countries don't allow the re-use of phone numbers for this very reason, but in some territories it's seen as a simple solution to the problem of running out of numbers. If you're running out of digits add digits, but the problem is more likely to be carriers who don't have a big enough pool of numbers and don't want to purchase more.
The re-use of numbers has all sorts of potential for data protection beyond SMS, voice and whatsapp (and any other application keyed by phone number). Take for example organisations that use phone numbers against customer accounts. Ever called a company and they've known who you are when you call up? You know the sort of thing, you call up and say "hi I'm calling to add a new SIM to my account" and the agent at the other end says "I'm just bringing up your account details now". They've identified you from the phone number you are calling from. Now any company that complies with data protection laws will hopefully have proper security protocols to prevent anybody making changes, spending money or otherwise breaking the law. But if a company does that how easy would it be to get hold of somebody else's phone and start making phone calls pretending to be them? Or for a scammer to spoof CLIs when making outbound calls? Easy of course and both have been done. However if carriers re-use phone numbers that sort of thing could happen accidentally.
No company I have ever dealt with has, when I have called them, said "I'm just pulling up your details" from the phone number alone. They'll pretty universally ask for your name, postcode and first line of your address, and if it's something like a bank or utility provider, they'll then ask some security questions.
> The security hole stems from wireless carriers' practice of recycling former customers' phone numbers and giving them to new customers
No, the security hole stems from using phone numbers as the username.
> we strongly encourage people to use two-step verification
Seriously? Anyone with your old phone number will also receive any SMS to that number.
Would seem like a no brainer to verify against a secondary key like the IMEI (unless that's able to be spoofed) or other unique key like the phone serial number, or multiple keys linked to the device. That's better than just relying on the telephone number.
The telephone number will stay the same but the other keys will change and can be used to detect a change of device or user.
Seems daft to just rely on the phone number being kosher.
The IMEI is even worse than a phone number, as people SIM swap and replace phones a lot more often than numbers. IMSI & phone number should be what you use to check a number is still on the original SIM. It looks like Facebook didn't even do that basic check though.
But as has been said, using a phone number as an account identity is moronic.
Some territories re-use the IMSI as well.
Every operator I have worked with re-uses MSISDNs: Usually there is a 6 month quarantine period before they are returned to a pool of free numbers for re-use.Margins, especially for pre-apid, are so razor thin that having to purchase new blocks of MSISDNs periodically from their issuing authority would probably collapse them.
Its a damn nuisance, I must have the number Spartacus owned as I keep getting angry messages from Roman descendants.
Getting calls from strangers after moving to a new area has been happening ever since bell made more than two phones. It just shows that media providers care little about security and more about making excuses.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
