India’s
national cyber security agency, CERT-In, has flagged a high-severity vulnerability in WhatsApp that could allow attackers to take “complete” control of user accounts without requiring passwords or SIM swaps.In an advisory issued on Friday and accessed by PTI, CERT-In said malicious actors are exploiting WhatsApp’s “device-linking” feature to hijack accounts using pairing codes that do not require authentication. The campaign has been named GhostPairing.“It has been reported that malicious actors are exploiting WhatsApp's device-linking feature to hijack accounts using pairing codes without authentication requirement,” the advisory said.
“This newly identified cyber campaign called GhostPairing enable cyber criminals to take complete control of WhatsApp accounts without needing password or SIM swaps,” it added.CERT-In, which functions as India’s computer emergency response team, said the attack has been rated “high” in severity and can give hackers access to real-time messages, photos, videos and voice notes through WhatsApp Web.According to the advisory, the attack typically begins when a user receives a message such as “Hi, check this photo” from a contact that appears to be trusted. The message contains a link with a Facebook-style preview that redirects users to a fake Facebook viewer page.To access the content, users are prompted to “verify” themselves. During this step, attackers exploit WhatsApp’s “link device via phone number” option by tricking victims into entering their mobile numbers on the fake site.“This way, the victims unknowingly grant the attackers full access to their WhatsApp accounts,” the advisory said.
CERT-In explained that GhostPairing works by secretly adding the attacker’s browser as a trusted, hidden device using a pairing code that appears legitimate. Once linked, the attacker gains nearly the same access as the account owner on WhatsApp Web.Hackers can read synced messages, receive new chats in real time, view shared media and even send messages to the victim’s contacts and group chats, the agency said.As a precaution, CERT-In advised users not to click on suspicious links, even if they appear to come from known contacts, and to avoid entering phone numbers on external websites claiming to be WhatsApp or Facebook services.
/images/ppid_a911dc6a-image-17663412288832288.webp)
/images/ppid_a911dc6a-image-176613323327518371.webp)
/images/ppid_a911dc6a-image-176615260454750794.webp)
/images/ppid_59c68470-image-176614754272086814.webp)
/images/ppid_a911dc6a-image-176613363837339262.webp)