CERT-In warns of ‘GhostPairing’ allowing full control of WhatsApp

New Delhi: Indian cybersecurity officials have warned WhatsApp users about a newly uncovered threat that allows attackers to seize “complete” control of accounts through the platform’s device linking option. The Indian Computer Emergency Response Team, or CERT-In, detailed the flaw in an advisory released recently and accessed by PTI, calling the campaign “GhostPairing”.

According to the advisory, attackers are “exploiting WhatsApp’s device-linking feature to hijack accounts using pairing codes without authentication requirements.” CERT-In said the operation enables criminals to take over accounts without needing a password or conducting SIM swaps. A response from WhatsApp on the issue is still awaited.

CERT-In, the national agency tasked with safeguarding India’s cyber infrastructure, said the attack typically starts with a message sent from a seemingly “trusted” contact. The text often reads, “Hi, check this photo,” accompanied by a link presented with a Facebook-style preview. Users who click the link are redirected to a fake Facebook viewer that requests a “verification” step. At this point, attackers use the “link device via phone number” feature to trick victims into entering their phone numbers.

Victims “unknowingly” grant intruders access by allowing the attacker’s browser to register as an additional trusted device using a pairing code designed to appear legitimate. Once linked, the attacker gains nearly the same permissions available on WhatsApp Web. This includes reading synced messages, receiving new chats in real time, viewing photos, videos and voice notes, and sending messages to the victim’s contacts and groups.

CERT-In urged users to avoid clicking unfamiliar links, even those appearing to come from known contacts, and to refrain from entering phone numbers on external pages that claim affiliation with WhatsApp or Facebook.