February 22, 2023

WhatsApp users have been warned that a stranger may be receiving their private WhatsApp messages and may also be able to send messages to all of their contacts if they change their phone number but do not delete the WhatsApp account associated with it.

The security flaw is caused by wireless carriers’ practice of recycling former customers’ phone numbers and distributing them to new customers. WhatsApp admits that this can happen, but it is extremely rare.

It happened to a user’s son, who had long-term access to that person’s private messages as well as group messages, both personal and work-related, according to the user.

The son, a WhatsApp user in Switzerland with a Swiss phone number, relocated to Paris for work and obtained a new French phone number and SIM card. He was still using WhatsApp, which continued to send and receive messages as usual, oblivious to the phone number change. He later changed his phone number on WhatsApp.

His phone was immediately flooded with all of the groups from a stranger, and he began receiving all new messages intended for that person, whether individual or in groups. His profile photo was also replaced with the other person’s.

The incident was reported to WhatsApp and parent company Meta, and it was determined to be a recycled phone number issue rather than a WhatsApp-specific bug. Although Meta acknowledged that “this is a concern,” she stated that it did not qualify as a bug for the bug bounty program.

The sources for this piece include an article in TheRegister.