Indian Cyber Agency Flags High-Severity WhatsApp 'Hijack' Vulnerability

By Imthiyaz Ali
Indian Cyber Agency Flags High-Severity WhatsApp 'Hijack' Vulnerability

Overview of the Threat

The Indian Computer Emergency Response Team (CERT-In), the nation's premier cybersecurity watchdog, has issued a "high-severity" alert regarding a new campaign dubbed 'GhostPairing'. This sophisticated attack targets the "device-linking" feature of WhatsApp, allowing malicious actors to seize complete control over a user's account without needing traditional methods like SIM swapping or stealing One-Time Passwords (OTPs).

Unlike previous scams, GhostPairing is designed to be "silent," meaning a victim's phone continues to function normally while an attacker monitors their private conversations in real-time from a separate, hidden device.

How the 'GhostPairing' Attack Works

The attack relies more on social engineering than technical exploits, making it difficult for automated security software to detect. The process typically follows these steps:

  1. The Phishing Hook: The victim receives a message—often from a "trusted" contact whose account has already been compromised—with a lure like "Hi, check this photo!".
  2. The Fake Interface: Clicking the link takes the user to a fraudulent website that mimics Facebook or WhatsApp Web.
  3. The Pairing Trap: The site prompts the user to "verify" their identity to see the content. It asks the user to enter their phone number or, more dangerously, displays a pairing code.
  4. The Silent Hijack: If the user enters this code into their mobile WhatsApp app (thinking they are verifying their identity), they are actually authorizing the attacker's browser as a linked device.
"The GhostPairing attack tricks users into granting an attacker's browser access as an additional trusted and hidden device... once linked, they can read messages, view media, and impersonate the victim in group chats." — CERT-In Advisory

Potential Impact on Users

Once the account is "hijacked," the attacker has access to:

  • Real-time Messaging: All incoming and outgoing texts are synced to the attacker’s device.
  • Private Media: Access to all photos, videos, and voice notes shared in chats.
  • Impersonation: The ability to send messages to the victim’s family, friends, and professional contacts to request money or spread further malicious links.
  • Persistence: Because the primary phone stays logged in, many users do not realize they are being monitored for weeks.

Protective Measures Recommended by CERT-In

To safeguard your account from the GhostPairing campaign, the following steps are recommended:

Action How to do it
Check Linked Devices Go to WhatsApp > Settings > Linked Devices. If you see a device you don't recognize (e.g., "Google Chrome - Linux"), Log Out immediately.
Enable Two-Step Verification Settings > Account > Two-step verification. Set a custom PIN that must be entered when registering or linking.
Avoid Suspicious Links Never click on links sent via chat that ask you to "verify" your identity or "login" to see a photo.
Update the App Ensure you are using the latest version of WhatsApp from the official Play Store or App Store.

Note: If you suspect your account is already compromised, re-registering your WhatsApp account (logging out and logging back in with your SMS OTP) will automatically disconnect all other linked devices.

Imthiyaz Ali
Imthiyaz Ali
Imtiyaz is an experienced Cybersecurity Professional with over 5 years of experience in Cybersecurity Research.