Last Updated:
The exploit allows malicious actors to take ‘complete’ control of a user’s WhatsApp account without needing a password, an OTP, or a physical SIM swap
CERT-In has urged all Indian ‘Digital Nagriks’ to exercise extreme caution when receiving unsolicited links, even from known contacts. Representational image
India’s premier cybersecurity agency, CERT-In (Indian Computer Emergency Response Team), has issued a high-severity advisory regarding a critical vulnerability in WhatsApp’s device-linking feature. Dubbed “GhostPairing”, the exploit allows malicious actors to take “complete” control of a user’s WhatsApp account without needing a password, an OTP, or a physical SIM swap.
By leveraging this flaw, attackers can gain real-time access to a victim’s entire chat history, including sensitive photos, videos, voice notes, and live messages on the web version of the platform.
The Anatomy of the ‘GhostPairing’ Attack
According to the CERT-In advisory issued on December 19, the attack is primarily a social engineering campaign that abuses legitimate WhatsApp features. The sequence typically begins with a deceptive message sent from a “trusted” contact—whose account has likely already been compromised. The message often uses an enticing hook, such as “Hi, check this photo of you”, accompanied by a link that displays a Facebook-style preview to build immediate trust.
When a user clicks the link, they are redirected to a fraudulent “verification” page that mimics the official Facebook or WhatsApp Web interface. Here, the attackers employ two main variants to compromise the account:
The Pairing Code Variant: The fake site prompts the user to enter their phone number. Behind the scenes, the attacker initiates a legitimate “Link with Phone Number” request on their own browser. WhatsApp then generates an 8-digit pairing code, which the attacker relays back to the fake site. The victim, believing this is a standard security check, enters the code into their WhatsApp app, unknowingly authorising the attacker’s browser as a “trusted” device.
The QR Code Variant: In some cases, the phishing site embeds a real-time QR code from the attacker’s WhatsApp Web session. If the victim scans this code from their mobile app to “verify” their identity, the attacker is instantly logged in.
Why It Is Highly Dangerous
The “ghost” nature of this pairing is its most lethal characteristic. Because the attack uses the official Linked Devices protocol, it does not trigger a “New Login” alert that would typically require a secondary OTP. The victim’s primary phone continues to function normally, with no forced logout, allowing the attacker to remain a silent observer for days or even weeks.
During this time, they can monitor all incoming and outgoing communication and even impersonate the user to spread the “GhostPairing” lure to the victim’s entire contact list and group chats.
How to Protect Your Account
CERT-In has urged all Indian “Digital Nagriks” to exercise extreme caution when receiving unsolicited links, even from known contacts. To secure your account:
Audit Your Devices: Go to Settings > Linked Devices in your WhatsApp app. If you see any unfamiliar browser or operating system (e.g., “Google Chrome – macOS” when you only use Windows), log it out immediately.
Enable Two-Step Verification (2SV): Set up a custom 6-digit PIN in your account settings. This adds a critical layer of protection that a paired device cannot easily bypass.
Never Pair Externally: Never scan a QR code or enter a pairing code on a non-official website. Genuine WhatsApp pairing only ever happens between your phone and an official WhatsApp application or web.whatsapp.com.
December 21, 2025, 05:53 IST
Read More
