The Indian Computer Emergency Response Team (CERT-In), the country's national cyber security agency, has issued a critical warning to millions of WhatsApp users. The agency has flagged a sophisticated new method that malicious actors are using to hijack user accounts, putting personal data and privacy at significant risk.
Exploiting the Device-Linking Feature
The core of this security threat lies in the exploitation of WhatsApp's legitimate 'device-linking' feature. This feature is designed to allow users to link their primary WhatsApp account to other devices, such as web browsers or desktop apps, for seamless multi-device use. However, CERT-In has identified that cybercriminals are manipulating this process to gain unauthorized control.
The attack bypasses the standard authentication requirement. Typically, linking a new device requires physical access to the primary phone to scan a QR code. The new hijacking method, however, reportedly uses pairing codes in a way that does not require this step, allowing attackers to link a victim's account to a device under their control without the victim's knowledge or consent.
How the WhatsApp Account Hijack Unfolds
While the agency has not released granular technical details to prevent copycat attacks, the general modus operandi involves social engineering. Attackers often initiate contact with the target user through a call or message, tricking them into revealing a one-time pairing code sent by WhatsApp. In other scenarios, malware or phishing links may be used to capture this code.
Once the malicious actor inputs this code on their own device, they successfully link the victim's WhatsApp account. The victim's session on their primary phone may be forcibly logged out, and the attacker gains full access to all chats, contacts, and shared media. The hijacking can happen swiftly, often leaving users locked out of their own accounts.
Implications and Essential Safety Measures
This vulnerability poses a severe threat, as WhatsApp accounts are repositories of highly sensitive personal and professional conversations. Account takeover can lead to identity theft, financial fraud (by tricking contacts), and exposure of private information.
CERT-In, which operates under the Ministry of Electronics and Information Technology, advises users to take immediate precautions:
- Never share WhatsApp verification or pairing codes with anyone, even if the requester appears to be a friend or official entity.
- Enable two-step verification within WhatsApp settings (Settings > Account > Two-step verification) for an added layer of security.
- Regularly check the list of linked devices (Settings > Linked devices) and log out from any unfamiliar sessions immediately.
- Be extremely cautious of unsolicited calls or messages urging urgent action regarding your WhatsApp account.
The alert was reported on 20 December 2025, highlighting the ongoing and evolving nature of cyber threats targeting popular communication platforms. Users are urged to stay vigilant and proactively secure their digital accounts.
