WhatsApp accounts can be completely stolen as long as the number is known and the phone screen is looked at.

There is no need to unlock it, no WhatsApp password or email address.

This attack can easily work on coworkers, roommates, spouses, classmates, etc. It could even work on someone you have lunch or coffee with, or your boss.

All the target needs to do is step away from the phone for a few seconds, such as when you go to the bathroom.

Jake Moore, a security researcher at ESET, explained this process in a blog post today (April 20). However, we tried it ourselves and, to our horror, it worked perfectly.

At this point, we would normally tell you to protect yourself with the best password manager or the best anti-virus software. But this ridiculous security hole has nothing to do with passwords or malware.

Fortunately, there is an easy way to avoid this kind of attack: enable the PIN on your WhatsApp account, which you will need to enter when you migrate your account to a new phone. enable the PIN on your WhatsApp account, which you will need to enter when you migrate your account to a new phone. You will need to enter it when you migrate your account to the new phone. You can also disable text message previews.

Moore's method is ridiculously easy. Here are the steps needed to steal your WhatsApp account.

1. install WhatsApp on a device that does not have WhatsApp installed.

2. wait for the target to leave your phone.

3. When WhatsApp asks for a phone number, enter the target's phone number instead.

4. WhatsApp will send a 6-digit confirmation code to the target's phone.

5. If the target's phone has text message preview enabled (which nearly all phones, iOS and Android, do), the confirmation code will appear on the target's phone screen as a preview.

6. enter the confirmation code into WhatsApp on the phone.

The process takes 10 seconds on two phones. The confirmation code is displayed on the lock screen, so I did not need to unlock the first model to verify it. The trickiest part was remembering it.

Since WhatsApp accounts can only be used on one device, the account was migrated from one to the other. If they had done this to someone else, that person would not be able to access their account.

After the transfer, WhatsApp prompted me to migrate all data backed up to Google Drive (or iCloud) to the new model. I did not do that because I wanted to transfer my account back to the first model.

However, Moore did it and was able to see all the archived chats on his colleague's account that he stole using this message. (He got her consent and restored her account on her phone once the experiment was over.)

Needless to say, you do not want others to steal your WhatsApp account. The best way to avoid this is to add a PIN to your account.

WhatsApp calls this two-step verification, but it should not be confused with two-factor authentication (2FA); WhatsApp's 2FA is a rather lax implementation, which is what got us into this trouble in the first place.

In any case, go to WhatsApp settings, tap "Account," then tap "Two-step verification"; you will be prompted to enter your 6-digit PIN, which you will need to enter again the next time you change your phone.

It is also recommended that you enter your email address as a failsafe in case you forget your PIN.

Moore suggests turning off the lockscreen SMS message preview. However, it would reduce many conveniences of using your phone.

However, I agree that cell phones should not be left unattended while out and about, or even in the house if you don't trust your roommate.