India's national cybersecurity agency has issued a critical warning to millions of WhatsApp users in the country. The Indian Computer Emergency Response Team (CERT-In) has flagged a severe security vulnerability that allows malicious actors to hijack user accounts completely.
What is the GhostPairing Threat?
The advisory, accessed by PTI, details a new cyber campaign dubbed 'GhostPairing'. This attack exploits WhatsApp's device-linking feature, enabling cybercriminals to gain unauthorized access without needing a password or performing a SIM swap. The agency stated that this flaw puts users' private messages, photos, and videos on the web version at significant risk.
CERT-In, which operates under the Ministry of Electronics and Information Technology (Meity), explicitly warned that attackers are actively exploiting this feature. They use pairing codes to link their own devices to a victim's account, bypassing any authentication requirement. Once linked, the attacker's browser becomes a hidden, trusted device on the account.
How the GhostPairing Scam Operates
The attack typically begins with a deceptive message, such as "Hi, check this photo," which appears to come from a known and trusted contact. This message contains a link that shows a preview resembling Facebook. Unsuspecting users who click the link are redirected to a fake Facebook viewer page.
This fraudulent page then prompts the user to "verify" themselves to view the promised content. At this stage, victims are tricked into entering their phone number. This step is crucial, as it allows the attackers to exploit WhatsApp's "link device via phone number" feature. By entering their number on the fake site, users inadvertently grant the hacker's device permission to link to their WhatsApp account.
Consequences and How to Stay Safe
The consequences of a successful GhostPairing attack are severe. Once the hacker's device is secretly linked, they gain almost complete control. They can read all synced messages, receive new chats in real-time, access photos, videos, and voice notes, and even send messages from the victim's account to their contacts and group chats.
CERT-In's advisory provides clear guidance to stay protected. Users are strongly advised not to click on suspicious links, even if they seem to originate from familiar contacts. Furthermore, you should never enter your phone number on external websites that claim to be WhatsApp or Facebook. Vigilance is the primary defense against this sophisticated social engineering attack.
