WhatsApp GhostPairing Hack Alert

WhatsApp GhostPairing Hack Alert

Why in News? 

The Indian Computer Emergency Response Team (CERT-In) has issued a high-severity warning for WhatsApp users in India. It highlights a new cyber threat named ‘GhostPairing’ that exploits device pairing features to hijack accounts and enable silent surveillance without user awareness across platforms.

What is the GhostPairing Hack?

• GhostPairing is a newly identified WhatsApp account takeover technique that allows attackers to gain full access to a user’s WhatsApp account without needing a password, OTP, SIM swap, or traditional authentication. 
• It abuses the application’s device-linking mechanism, which is meant to let users link WhatsApp to browsers or other devices. 
• In this scheme, attackers trick the victim into unknowingly approving a malicious device as a linked device, giving the attacker silent access to messages and media. 
• In December 2025, the Indian Computer Emergency Response Team (CERT-In) issued a high-severity advisory warning WhatsApp users in India about GhostPairing. The advisory classified GhostPairing as a high-severity campaign.
• The GhostPairing hack does not exploit a software bug in WhatsApp. Instead, it uses social engineering tactics to manipulate users into completing steps that inadvertently authorize an attacker’s device. The method misuses WhatsApp’s multi-device support feature, which normally lets users pair laptops or desktops with their account. 
• Once a device is successfully linked through GhostPairing, the attacker gains deep access to the WhatsApp account. This includes the ability to:

• Read past and incoming messages that are synced to WhatsApp Web.
• View and download photos, videos, voice notes, and other shared media.
• Send messages to the victim’s contacts and groups.
• Receive real-time updates and notifications as though they were the account owner.

How GhostPairing Compromises WhatsApp Accounts?

• Deceptive Message: The GhostPairing attack starts when a user receives a deceptive message that looks like it comes from a trusted contact. The message may say something like “Hey, check this photo” and includes a link that shows a Facebook-style preview inside WhatsApp. This link is crafted to appear familiar and genuine so the victim feels safe clicking it. 
• Fake Webpage Mimic: When the victim taps the link, the browser opens a counterfeit webpage that mimics a trusted content viewer. It may look like a Facebook photo viewer or WhatsApp Web authentication page. The page tells the user they must “verify” to view the content.
• Device-Linking Process: Once the victim engages with the fake verification, the page asks for the user’s phone number. Entering the phone number triggers WhatsApp’s official device-linking process. WhatsApp then generates a pairing code, which the fake page instructs the user to enter into their WhatsApp app.
• Unauthorized Access: When the user enters the pairing code into WhatsApp, the app links a new device to the user’s account. In GhostPairing, that newly linked device is controlled by the attacker. The user believes they are completing a benign verification, but they are actually authorizing access to the attacker’s device.
• Multi-Device Feature: WhatsApp’s multi-device support is meant to let users link laptops, tablets, or web browsers to their account. GhostPairing abuses that legitimate feature. Instead of linking a user’s own device, it links the attacker’s browser session. The attacker then gets almost the same access that WhatsApp Web normally provides. There is no forced logout and no visible interruption. 

Role of CERT-In in India’s Cybersecurity Response Mechanism

• The Indian Computer Emergency Response Team (CERT-In) is the central agency designated to manage cybersecurity incidents in India. 
• It was formally established on 19 January 2004 under Section 70B of the Information Technology Act, 2000 as the national nodal body for handling digital threats and incidents. 
• CERT-In operates under the Ministry of Electronics and Information Technology (MeitY) of the Government of India and serves to protect the country’s information and communication technology infrastructure.
• The legal mandate empowers CERT-In to collect, analyse, and disseminate information about cyber incidents, issue cybersecurity guidelines, and coordinate responses to threats across sectors. 
• The agency receives reports of breaches, malware attacks, phishing, ransomware, and other cyber threats from organisations, individuals, and government departments. CERT-In also maintains a 24×7 Cyber Security Operations Centre (CSOC) to detect threats in real time and orchestrate rapid response actions nationwide.
• The agency issues advisories, alerts, vulnerability notes, and security guidelines to government agencies, critical infrastructure sectors, private companies, and the general public. These advisories provide actionable information about steps to take to secure systems.
• The agency works within the structures of the National Cyber Security Policy (2013) and newer regulatory regimes such as the Digital Personal Data Protection Act, 2023, to align cybersecurity practices with legal and strategic goals. CERT-In also enforces regulatory directives under the IT Act.
• The agency collaborates with specialised bodies such as the National Critical Information Infrastructure Protection Centre (NCIIPC) and sectoral CERTs to ensure robust cyber defence and rapid recovery from attacks targeting vital systems.

Preventive Measures and Cyber Hygiene for Citizens and Institutions

• Citizens and institutions must develop the habit of regularly checking linked devices on messaging and email platforms. Many modern applications allow multi-device access for convenience. This practice reduces long-term hidden access. Simple routine checks create a strong first layer of defence.
• Citizens must avoid clicking unknown links even if they come from known contacts. Institutions should train employees to verify messages before responding. Awareness training must focus on recognising fake previews, suspicious verification requests and unexpected pairing prompts.
• Users should always keep security notifications enabled on all communication platforms. Many apps notify users when a new device connects. Institutions should enforce mandatory alert monitoring for official accounts. Any unexpected notification should trigger immediate review and incident reporting.
• Institutions must follow structured patch management policies with defined timelines. India’s cyber audit frameworks after 2021 require government and critical sector systems to follow strict update schedules. Delayed updates increase exposure and reduce defence readiness.
• Institutions must adopt clear cybersecurity policies for communication tools. Access rules must follow the principle of least privilege. Accounts should link only essential devices. A zero-trust approach treats every access request as potentially risky.