The Indian Computer Emergency Response Team (CERT-In) has issued an advisory for Indian WhatsApp users, warning them about a new “device-linking” feature on the social media platform that could allow attackers to ‘hijack’ accounts. It said the newly identified cyber campaign is called ‘GhostPairing’.
The advisory, which carries a ‘high’ severity rating, said the attack begins when the victim receives a message such as “Hi, check this photo”, which can lead to the full ‘hijacking’ of the user’s WhatsApp account. Notably, CERT-In is the country’s key technical body responsible for dealing with cyber attacks and protecting India’s online space.
What is ‘GhostPairing’?
According to CERT-In’s warning, GhostPairing enables cybercriminals to gain full access to WhatsApp accounts without requiring passwords or SIM card changes.
The method exploits WhatsApp’s device-linking feature, allowing attackers to take over accounts by using pairing codes that do not require proper authentication.
Once an account is ‘hijacked’, attackers use it to send messages to the victim’s contacts.
“In a nutshell, the GhostPairing attack tricks users into granting an attacker’s browser access as an additional trusted and hidden device by using a pairing code that looks authentic,” the agency said in the advisory.
How does the ‘hijacking’ work?
The attack begins with a “Hi, check this photo” message sent by a contact that appears trustworthy. The message includes a link that displays a Facebook-style preview.
When clicked, the link opens a fake Facebook viewer asking users to “verify” their identity to view the content. At this stage, attackers misuse WhatsApp’s “link device via phone number” feature by misleading users into entering their phone numbers.
By completing a short and seemingly harmless set of steps, victims unknowingly grant attackers complete access to their WhatsApp accounts. This happens without any password being stolen or any SIM swap, the advisory said.
What can attackers access after ‘hijacking’?
Once an attacker links their device, they gain access similar to WhatsApp Web:
- They can read messages that are synced to their device
- They receive new messages in real-time
- They can view photos, videos, and voice notes
- They can send messages from the victim’s account
- They can access personal chats and group conversations
What should you do?
The advisory suggests several steps to reduce the risk of account compromise or takeovers:
- Do not click on suspicious links, even if they appear to come from known contacts.
- Never enter your phone number on external websites claiming to be linked to WhatsApp or Facebook.
- Regularly check Linked Devices on WhatsApp. Open WhatsApp and go to Settings > Linked Devices. If you notice any device you do not recognise, log out of it immediately.
For organisations:
- Offer security awareness training focused on attacks targeting messaging apps.
- Implement mobile device management where relevant.
- Watch for signs of phishing and social engineering attempts.
- Incident response protocols should be put in place for quick detection and resolution.