Indian cyber security agency CERT-In has flagged a vulnerability in WhatsApp’s device-linking feature that allows attackers to gain “complete” control of user accounts, including access to real-time messages, photos and videos on the web version.
In an advisory issued on Friday and accessed by PTI, the Indian Computer Emergency Response Team named the issue “GhostPairing”.
“It has been reported that malicious actors are exploiting WhatsApp's device-linking feature to hijack accounts using pairing codes without authentication requirement,” the agency said.
“This newly identified cyber campaign called GhostPairing enable cyber criminals to take complete control of WhatsApp accounts without needing password or SIM swaps,” the advisory said.
A response from WhatsApp to the revelation is awaited.
CERT-In, the national technology arm responsible for combating cyber attacks and safeguarding India’s internet space, classified the attack as a high-severity campaign.
According to the advisory, the attack typically begins when a victim receives a message such as “Hi, check this photo” from a trusted contact.
The message contains a link with a Facebook-style preview that redirects users to a fake Facebook viewer.
Victims are then prompted to “verify” in order to view the content. During this process, attackers exploit WhatsApp’s “link device via phone number” feature by tricking users into entering their phone numbers on the fraudulent site.
By doing so, victims unknowingly grant attackers full access to their WhatsApp accounts.
The GhostPairing attack works by adding the attacker’s browser as an additional trusted and hidden device through a pairing code that appears authentic.
Once the attacker successfully links their device, they gain nearly the same level of access as the account holder on WhatsApp Web.
This includes the ability to read synced messages, receive new messages in real time, view photos, videos and voice notes, and send messages to the victim’s contacts and group chats.
The advisory urged users to adopt precautionary measures, including avoiding clicking on suspicious links even if they are received from known contacts, and refraining from entering phone numbers on external websites claiming to be associated with WhatsApp or Facebook.
