TLDR; Voicemail isn’t safe. disable it.
Recently many activists are reporting account hacking on their telegram and whatsapp account because of a vulnerability in the authentication process which involve the access of the voicemail.
The voicemail is something we usually don’t care of and we usually ignore, but can also be an interesting place where a simple verification code can be stored and then ignored.
How the hack works?
This is basically a social/tech hack, you know the number an attacker, you know it’s powering off the phone when sleeping, so you try to register a new device at night and then specify to send the verification code via call, so it will go in the voicemail.
The attacked then, connects to the provider voicemail using the fancy feature check your voicemail remotely which allow anyone to connect to the voicemail of a specific telephone number and will ask for the PIN to access to the voicemail. This works for any country.
Last bit is to guess the PIN, and guess what? Most of the people never changed the PIN for the voicemail, so it will be de default PIN.
How to fix this?
if you don’t use it you can disable the voicemail. In fact you don’t need that, search online how to disable the voicemail + your_provider and check which code you need to use.
if you need for real your voicemail: change your PIN.
history notes to dig more…
this hack, already happened in Brazil and triggered a big scandal in the Lava Jato investigation, the leak was so big it was called Vaza Jato. [full-article]
the hack it’s working for every IM which sends auth code via call, as per now I activists are confirming account hacking on: telegram and whatsapp