WhatsApp Users Beware: New GhostPairing Vulnerability Exposes Accounts to Attackers

Critical Security Flaw in WhatsApp's Device-Linking Feature

New Delhi: The Indian cyber security agency CERT-In has identified a serious vulnerability in WhatsApp's device-linking feature, which could allow attackers to gain full control over user accounts. This includes access to real-time messages, photos, and videos on the web version of the app.

The agency has labeled this issue as "GhostPairing" in an advisory released on Friday, which has been reported by various news outlets.

According to the advisory, malicious individuals are taking advantage of WhatsApp's device-linking feature to hijack accounts by using pairing codes without requiring any authentication.

This newly discovered cyber threat, referred to as GhostPairing, enables cybercriminals to seize control of WhatsApp accounts without needing passwords or SIM card swaps.

A response from WhatsApp regarding this alarming revelation is still pending.

CERT-In serves as India's national technology response team, dedicated to combating cyber threats and protecting the Indian Internet landscape.

The advisory indicates that this high-severity attack typically starts with the victim receiving a message such as "Hi, check this photo" from someone they trust.

This message includes a link that appears to have a Facebook-style preview. Clicking on it leads to a fraudulent Facebook viewer that prompts users to "verify" their identity to access the content. Attackers exploit WhatsApp's "link device via phone number" feature by deceiving users into entering their phone numbers, thereby granting attackers full access to their accounts.

The GhostPairing attack deceives users into allowing an attacker's browser to access their account as an additional trusted device, using a pairing code that seems legitimate.

Once the attacker successfully links their device, they gain nearly the same access as the victim would on WhatsApp Web.

They can read messages that sync to their device, receive new messages in real-time, view photos, videos, and voice notes, and even send messages to the victim's contacts and group chats.

To mitigate these risks, the agency advises users to avoid clicking on suspicious links, even if they appear to come from known contacts, and to refrain from entering their phone numbers on external sites claiming to be WhatsApp or Facebook.