New Method Lets Attackers Hijack WhatsApp Account Via Voicemail

Alvine Chaparadza Avatar

WhatsApp’s end-to-end encryption feature ensures that our conversations remain private, but the platform itself is vulnerable to a simple attack which can hijack a user’s WhatsApp account. The method, which was discovered last year, can be used to take over the WhatsApp account of a target by stealing the verification code sent to their voicemail inbox without much technical knowledge.

The vulnerability, which can be used to take over someone’s WhatsApp account, was spotted last year by a security expert named Ran Bar-Zik. However, the vulnerability can only be exploited if the target uses voicemail and doesn’t have a complex PIN or uses a default PIN such as 1234 or 1111.

Hacking Voice Mail

An attacker installs WhatsApp on his device and enters the mobile number of the target during the registration process, after which a security code will be sent to the target’s mobile number. Trying to install WhatsApp on two devices will send a security alert to the target, which is why the hacker tries to execute the hack when the target is likely not active, say after midnight.

After sending a verification multiple times, the attacker can send a prompt that he/she didn’t get the verification code via an SMS, so WhatsApp will send the same via a voice call. And if the target is unable to attend the voice call, the voice message will be sent to their voicemail (Yes, WhatsApp can leave the verification code in your voicemail inbox). Since we rarely use voicemail nowadays, and very few bother to change the default passcode that’s assigned by the mobile service provider. As a result, if the hacker tries “0000” or “1234”, they are extremely likely to confirm the state of the victim’s voicemail service. If it’s active, hijacking is possible. The hacker now has access to the victim’s WhatsApp account and can also lock him out permanently by activating the two-factor factor authentication feature.

The only way to prevent an attacker from executing the aforesaid attack is to activate WhatsApp’s two-factor authentication feature and use a stronger password for one’s voicemail.

Is it likely to be hacked?

The chances of this happening type of hack to happen are quite low since you need to be using your phone, thus asleep during the midnight and your voicemail password is not changed. But Israel hackers are succeeding in this type of “WhatsApp hack”. 


  1. Garikai Dzoma

    I would imagine this was triaged as low priority by the guys at WhatsApp since it’s FOSS we might never know. But such a “bug” is not only hard to fix but it’s not really a WhatsApp issue. Indeed it’s even more likely this was simply marked as Won’t fix. I am speculating here.

  2. v11

    apa mashaya nyaya. dont jus copy and paste zvamanhonga guys

  3. v11

    New method to hack bank account. Users normally write their account number along with their pin. Hackers will try to snoop thru your diary so as to hack your account.

  4. sg

    is that hacking

  5. Chris Mberi

    Thank you Techzim for enlightening us. Most people would not have thought of this and it brings to light the importance of thinking of security when we use these applications. Israel has literally made an industry out of security and such articles could trigger a thinker somewhere to start taking security issues seriously and turn it into a venture.

  6. localhost

    Mhh i beg to differ this social engineering is not effective