New Delhi: India’s cyber security agency CERT-In has issued a high-severity advisory about a WhatsApp account takeover campaign called “GhostPairing” that abuses the app’s device-linking feature.
According to the advisory, GhostPairing is a social-engineering-based campaign in which attackers use WhatsApp’s legitimate “link device via phone number” flow, along with deceptive websites, to add the attacker’s browser or desktop as an extra linked device on a victim’s account. In this method, victims are tricked into completing the official pairing process themselves, meaning attackers do not need the victim’s password, SMS OTP, or a SIM swap, and do not exploit a zero-day vulnerability in WhatsApp.
Investigators and media reports describe a typical attack starting with a message such as “Hi, check this photo,” sent from what appears to be a trusted contact. The message contains a link with a Facebook-style preview. When the user taps the link, they are redirected to a fake content viewer page that asks them to “verify” to view the media and then prompts them to enter their phone number.
Also Read: Indian cyber agency flags WhatsApp ‘hijack’; details here
Behind the scenes, the attacker’s site forwards the entered number to WhatsApp’s “link with phone number” feature, which generates a one-time pairing code meant only for the account owner. The malicious page then displays this legitimate code back to the victim with instructions to “enter this in WhatsApp to confirm” the login. The user is led to open WhatsApp, go to Linked Devices, and type the code, believing they are completing a security step to view the photo.
Once the victim enters the valid pairing code in their WhatsApp app, the attacker’s browser or desktop is added as an authorised linked device on the account, without the attacker needing to authenticate directly in the victim’s app. From that point, the attacker’s linked device can access synced chats and media, receive new messages in near real time, and send messages to individual contacts and group chats. These capabilities are broadly similar to normal WhatsApp Web usage, while the original account holder continues using the account on their phone.
Security researchers have warned that this technique effectively turns WhatsApp’s multi-device feature into a covert surveillance and impersonation channel, as many users rarely check the “Linked Devices” list and may not notice an unfamiliar session. However, the attacker’s device is not invisible. It appears as another linked device, and users can revoke access at any time by removing unknown sessions from the Linked Devices section.
CERT-In and security experts have advised users to:
- Avoid clicking on unsolicited or suspicious links, even if they come from known contacts.
- Never enter their WhatsApp phone number or any pairing code on external websites claiming to be WhatsApp, Facebook, or media viewers.
- Regularly review and remove unfamiliar devices from the WhatsApp “Linked Devices” menu to block unauthorised access.
At the time of the latest reports, a formal public response from WhatsApp to this specific CERT-In GhostPairing advisory was still awaited.
PNN & Agencies
