【Bhawri (2021) Hindi Web Series】

Who would have Bhawri (2021) Hindi Web Seriesthought that, in the end, it would be the humble voicemail that would do us all in?

Your Google, Microsoft, Apple, WhatsApp, and even Signal accounts all have an Achilles' heel — the same one, in fact. And it turns out that if you're not careful, a hacker could use that weakness to take over your online identity.

Or so claims self-described "security geek" Martin Vigo. Speaking to an enthusiastic collection of hackers and security researchers at the annual DEF CON convention in Las Vegas, Vigo explained how he managed to reset passwords for a wide-ranging set of online accounts by taking advantage of the weakest link in the security chain: your voicemail.

SEE ALSO: The hackers just arrived, and they're already breaking Vegas

You see, he explained to the crowd, when requesting a password reset on services like WhatsApp, you have the option of requesting that you receive a callwith the reset code. If you happen to miss the phone call, the automated service will leave a message with the code.

But what if it wasn't youtrying to reset your password, but a hacker? And what if that hacker also had access to your voicemail?

Here's the thing: Vigo wrote an automated script that can almost effortlessly bruteforce most voicemail passwords without the phone's owner ever knowing. With that access, you could get an online account's password reset code and, consequently, control of the account itself.

Original image has been replaced. Credit: Mashable

And no, your two-factor authentication won't stop a hacker from resetting your password.

Mashable Light Speed Want more out-of-this world tech, space and science stories? Sign up for Mashable's weekly Light Speed newsletter. By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy. Thanks for signing up!

One of Vigo's slides laid out the basic structure of the attack:

1. Bruteforce voicemail system, ideally using backdoor numbers

2. Ensure calls go straight to voicemail (call flooding, OSINT, HLR)

3. Start password reset process using "Call me" feature

4. Listen to the recorded message containing the secret code

5. Profit!

A recorded demo he played on stage showed a variation of this attack on a PayPal account.

"In three, two, one, boom — there it is," Vigo said to audience applause. "We just compromised PayPal."

Vigo was careful to note that he responsibly disclosed the vulnerabilities to the affected companies, but got a less than satisfactory response from many. He plans to post a modified version of his code to Github on Monday.

Notably, he reassures us that he altered the code so that researchers can verify that it works, but also so that script kiddies won't be able to start resetting passwords left and right.

So, now that we know this threat exists, what can we do to protect ourselves? Vigo, thankfully, has a few suggestions.

First and foremost, disable your voicemail. If you can't do that for whatever reason, use the longest possible PIN code that is also random. Next, try not to provide your phone number to online services unless you absolutely have to for 2FA. In general, try to use authenticator apps over SMS-based 2FA.

But, really, the most effective of those options is shutting your voicemail down completely. Which, and let's be honest here, you've likely been looking for a reason to do anyway. You can thank Vigo for providing you with the excuse.

---

Featured Video For You

---

Here's 5 tips for Spring cleaning your digital footprint

---

Topics Cybersecurity

• Games
• Shopping
• Life
• Entertainment
• Digital Culture
• Science
• Tech
• Social Good

• Then and Now: Six Generations of $200 Mainstream Radeon GPUs Compared
• Netflix cancels 'Jessica Jones' and 'The Punisher'
• Samsung Galaxy Home smart speaker will launch in 'first half of 2019'
• Airline kicks passenger off plane for wearing Black Panther hat
• Best Presidents' Day deal: Save $44 on Fitbit Charge 6
• The best places to go on the internet if you stan possums
• UK cybersecurity centre isn't too afraid of Huawei, report says
• Will.I.Am transforms into Trump in music video supporting Clinton
• Brest vs. PSG 2025 livestream: Watch Champions League for free
• Someone secretly taped Kim K after robbery, and her lawyers are pissed

• The VR headset for iPhone we've been waiting for is here
• Michael Bublé's son goes home for the holidays between cancer treatments
• Kate Middleton wore Princess Diana's favourite tiara in a moving tribute
• A giant Jeremy Clarkson head keeps popping up to promote 'The Grand Tour'
• The Obamas sent out their final White House Christmas card and Twitter is in love
• The best/worst of 'Me at the beginning of 2016 vs end of 2016' memes
• Singapore museum adds an interactive virtual forest
• What in the hell will Zac Efron and The Rock's 'Baywatch' movie be?
• Math is just too damn difficult for Facebook
• You may soon be able to pick and choose the online ads you see

• Obama photographer Pete Souza on Trump: 'We failed our children'
• YouTube changes 'strike' policy for first
• The surprising list of top Netflix shows in the US by state
• Millennial spending habits are being questioned (again) and the internet isn't here for it
• Brest vs. PSG 2025 livestream: Watch Champions League for free
• UK cybersecurity centre isn't too afraid of Huawei, report says
• LG says it's 'too early' for foldable phones
• The Trumpkin is back to make Halloween terrifying again
• Best AirPods deal: Apple AirPods 4 for $99.99 at Amazon
• Muggles can now apply their makeup with Harry Potter's wand

• GPU Availability and Pricing Update: April 2022
• Beyonce and Jay
• 'The Walking Dead' digs into the origins of the Whisperers
• Watch Michelle Obama's entire speech on Trump and women
• Google 'Ask for me:' AI that calls businesses on your behalf for pricing and availability
• The New York Times stands to benefit big time from a Trump lawsuit
• Bust out the GIFs, the New York Times just gave Trump a legal burn
• Alex Trebek seriously burns contestant for her music taste
• Best Presidents' Day deal: Save $250 on Peloton Bike
• 'The Walking Dead' digs into the origins of the Whisperers