India’s national cybersecurity agency, the Indian Computer Emergency Response Team (CERT-In), has issued a high-severity alert regarding a critical vulnerability in WhatsApp’s device-linking feature, dubbed “GhostPairing.” This flaw allows malicious actors to hijack user accounts without needing one-time passwords (OTPs), SIM swaps, or physical access to the victim’s phone, potentially granting attackers full control over private conversations and media.
How the GhostPairing Attack Works
The attack exploits WhatsApp’s legitimate “link device via phone number” functionality, which is designed to allow users to pair additional devices (like WhatsApp Web) using a QR code or phone number verification. Here’s a step-by-step breakdown:
1. Phishing Initiation: Victims receive a seemingly innocuous message from a trusted contact (or a spoofed one), such as “Hi, check this photo” or “Verify to view this update.” The message includes a clickable link disguised as a Facebook-style preview or media thumbnail.
2. Fake Verification Trap: Clicking the link redirects to a fraudulent external website mimicking Facebook or WhatsApp. The site prompts the user to “verify” their identity by entering their phone number to access the content—exploiting curiosity or urgency.
3. Unauthorized Pairing: Once the phone number is entered, the site triggers WhatsApp’s device-linking process behind the scenes. This generates a valid pairing code that appears authentic to the attackers, allowing them to link their own browser or device as a “trusted” and hidden companion device to the victim’s account.
4. Full Access Granted: With the device linked, attackers gain near-complete control equivalent to using WhatsApp Web. They can:
• Read all synced messages, photos, videos, and voice notes in real-time.
• Receive incoming messages instantly.
• Send messages impersonating the victim to contacts or group chats.
• Exfiltrate sensitive data without triggering notifications on the victim’s primary phone.
This process bypasses traditional security layers because the linked device is treated as an authorized extension, remaining invisible to the user unless they manually check their linked devices in WhatsApp settings.
The vulnerability has been actively exploited in targeted campaigns, with CERT-In classifying it as a “high-risk” threat due to its stealthy nature and ease of execution.
Potential Risks
• Privacy Breaches: Attackers can monitor and steal personal data, including confidential chats, financial details, or intimate media.
• Impersonation and Fraud: Hijackers could spread misinformation, scams, or phishing links to the victim’s network, amplifying damage.
• Broader Cyber Threats: Compromised accounts could serve as entry points for further attacks, like ransomware or identity theft, especially for high-profile users such as journalists, activists, or business professionals.
CERT-In noted that this issue affects both Android and iOS users globally, though the advisory was prompted by incidents observed in India.
Recommendations from CERT-In
To protect against GhostPairing:
• Avoid Suspicious Links: Never click on links in messages promising exclusive content, even from known contacts—verify directly with the sender via another channel.
• Don’t Share Phone Numbers: Refrain from entering your number on any external sites claiming affiliation with WhatsApp, Facebook, or similar platforms.
• Monitor Linked Devices: Regularly check and revoke unauthorized devices in WhatsApp settings (Settings > Linked Devices).
• Enable Two-Step Verification: Activate WhatsApp’s built-in 2FA for an extra layer of protection against unauthorized registrations.
• Update the App: Ensure WhatsApp is updated to the latest version, as Meta (WhatsApp’s parent) may roll out patches.
As of the latest reports, WhatsApp has not publicly responded to CERT-In’s advisory, but users are urged to stay vigilant amid ongoing investigations. For official updates, refer to CERT-In’s portal or WhatsApp’s security blog.
This alert underscores the growing sophistication of social engineering attacks on messaging apps, with experts calling for enhanced user education and platform-side safeguards like improved link previews and anomaly detection.