New vulnerability in WhatsApp allows hacking 2FA codes

Any internet-connected platform is exposed to hacking, even if the most recommended security practices are implemented, as mentioned by mobile hacking specialists. A couple of years ago, WhatsApp launched a two-factor authentication (2FA) mechanism to provide an additional layer of security for its users.

A group of researchers recently revealed the finding of a new vulnerability in the WhatsApp versions for iOS and Android that, if exploited, could allow threat actors to obtain the 2FA code sent by the company, which is stored in plain text.

It should be noted that this is not the first time that a serious flaw in the security of the messaging platform, employed by hundreds of millions of people around the world, is uncovered.

According to the instructors of a mobile hacking course, the only protection that this code has is that it is stored in a sandbox environment, so it is not possible for third-party applications to access this information, besides that the company does not stores this code in backups. However, the fact that code is stored in clear text is a poor security practice. 

Below is how WhatsApp stores the 2FA password in plain text. It is also possible to appreciate that the files are stored in a private container.

The mobile hacking specialists note that this 2FA key is also visible on rooted Android devices, so other apps with root permissions could access this code.

A third-party application that could access this code would still require obtaining a six-digit PIN code sent to the user’s phone number to fully compromise their account, so the ability to exploit this security flaw with malicious ends is significantly reduced.

Although users are not facing imminent danger, the International Institute of Cyber Security (IICS) recommends to WhatsApp not storing this information in plain text to completely eliminate any risk to users and their accounts in the messaging app.