WhatsApp ‘GhostPairing’ Alert: CERT-In Warns Of Vulnerability Allowing Full Account Hijack

India’s national cyber security agency, CERT-In (Indian Computer Emergency Response Team), has issued a “high” severity advisory regarding a new hacking technique dubbed “GhostPairing.” This vulnerability allows malicious actors to bypass traditional security measures like passwords or SIM swaps to take complete control of a user’s WhatsApp account via the web version.

How the ‘GhostPairing’ Attack Works

According to the advisory accessed by PTI on Friday, December 19, 2024, the campaign relies on social engineering and a flaw in the “device-linking” feature.

1. The Hook: A victim receives a message from a “trusted” contact (whose account may already be compromised) saying something like, “Hi, check this photo.”
2. The Fake Link: The message contains a link with a Facebook-style preview. Clicking it leads to a fraudulent “Facebook viewer” site.
3. The Verification Trap: To see the photo, the site prompts the user to “verify” their identity. Users are then asked to enter their phone number.
4. Silent Hijacking: Behind the scenes, the attackers initiate a “link device via phone number” request. The victim is tricked into entering a pairing code generated by the attacker’s browser, unknowingly authorizing the attacker as a “hidden” trusted device.

The Impact: Total Access

Once the “GhostPairing” is successful, the attacker gains nearly the same level of access as the primary user on the web version:

• Real-time Monitoring: Ability to read and receive new messages as they arrive.
• Media Access: Full access to synced photos, videos, and voice notes.
• Impersonation: The attacker can send messages to the victim’s contacts and group chats, further spreading the scam.

CERT-In Recommendations: How to Protect Yourself

To prevent your account from being hijacked, the agency suggests the following countermeasures:

• Avoid Suspicious Links: Do not click on links promising “hidden photos” or “verification,” even if they appear to come from friends or family.
• Never Share Codes: WhatsApp pairing codes should only be used on the official web.whatsapp.com or the official Desktop app.
• External Verification: Never enter your phone number on third-party websites claiming to be affiliated with WhatsApp or Facebook.
• Check Linked Devices: Regularly go to WhatsApp Settings > Linked Devices to check for any unauthorized browsers or devices. If you see one you don’t recognize, log out immediately.

Note: A formal response from WhatsApp regarding a patch or updated authentication requirement for pairing codes is currently awaited.