- Hackers can hijack WhatsApp accounts without ever cracking passwords or encryption
- GhostPairing attacks exploit legitimate device-linking features to gain full account access
- Users are tricked by fake Facebook login pages into authorizing attackers
Security researchers are warning WhatsApp users about a growing account hijacking technique that does not rely on breaking passwords or bypassing encryption.
Attackers exploit WhatsApp’s legitimate device-linking feature to quietly attach their own browser to a victim’s account.
Once linked, the attacker can read messages in real time, download shared media, and send messages that appear to come directly from the victim.
How the linking feature is abused
The attack, tracked under the name GhostPairing, begins with a short message that appears to come from a trusted contact.
The message typically contains a link claiming to show a photo of the recipient.
To build credibility, the link preview often resembles Facebook content.
Clicking the link redirects the victim to a fake Facebook login page hosted on a lookalike domain.
Instead of verifying anything, the page initiates WhatsApp’s device-pairing workflow.
Victims are prompted to enter their phone number on the fake page, which allows the attacker to trigger a legitimate pairing request.
WhatsApp then generates a pairing code, which the attacker displays on the fraudulent site.
The victim is instructed to enter this code inside WhatsApp, unknowingly authorizing a new linked device.
Although WhatsApp clearly states that a device is being added, researchers say many users overlook or misunderstand the message during the process.
Once the pairing is complete, attackers gain full access to the account without needing authentication credentials.
Gen Digital warns that many victims remain unaware that an additional device has been linked in the background.
This allows criminals to monitor conversations, collect sensitive information, impersonate the victim, and spread the same lure to contacts and group chats.
Researchers have previously observed similar device-linking abuse in attacks against other messaging platforms.
The only reliable way to detect this type of compromise is by manually checking the Linked Devices section within WhatsApp settings.
If the user does not recognize any listed device, it should be promptly removed from the account.
Users are also advised to report suspicious messages and enable additional account protections, including two-factor authentication.
Tools such as antivirus software may help flag malicious websites, while malware removal solutions can assist if further compromise is suspected.
Identity theft protection services may reduce harm after personal data exposure, although they do not prevent account hijacking itself.
This exploitation shows that user awareness remains a critical weak point, even when platforms provide warnings during sensitive actions.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
English (US) ·