WhatsApp GhostPairing Flaw Lets Attackers Hijack Accounts
Key Takeaways A new social engineering method, dubbed “GhostPairing,” allows threat actors to hijack WhatsApp accounts without needing passwords or one-time codes. The attack exploits...
Key Takeaways
- A new social engineering method, dubbed “GhostPairing,” allows threat actors to hijack WhatsApp accounts without needing passwords or one-time codes.
- The attack exploits WhatsApp’s legitimate device-linking feature by tricking users into approving an attacker-controlled device.
- Successful GhostPairing grants attackers full access to messages, enabling impersonation, fraud, and data theft.
- This technique highlights a growing trend of cybercriminals leveraging trusted digital platforms for nefarious activities.
- Users should regularly check linked devices, enable two-step verification, and remain highly suspicious of any requests to link new devices or share codes.
Cybersecurity researchers have uncovered a sophisticated social engineering tactic, named GhostPairing, that enables malicious actors to gain unauthorized access to WhatsApp accounts. This method bypasses traditional password and one-time verification code requirements by exploiting the application’s legitimate device-linking functionality, relying instead on user manipulation.
Unlike direct service breaches, GhostPairing leverages WhatsApp’s feature designed for connecting companion devices. The core of the scam involves coercing a victim into approving a new, attacker-controlled device, thereby granting the perpetrator persistent access to their account and communications.
The implications of a successful GhostPairing attack are severe. A compromised linked device allows an attacker to intercept and read messages, monitor ongoing conversations, impersonate the account holder, and initiate urgent requests to the victim’s contacts. This opens a clear pathway for various forms of financial fraud and broader identity theft, as criminals capitalize on the inherent trust associated with a known WhatsApp account. Past incidents of WhatsApp Web session hijacking illustrate how a compromised messaging session can rapidly escalate into business-focused fraud.
Researchers at GenDigital identified GhostPairing as part of a broader trend where cybercriminals are shifting their focus to exploit trusted digital environments, moving beyond traditional malicious files or deceptive login pages. In a report, GenDigital said this technique transforms a standard account-management function into a vulnerability for full account takeover.
This evolving threat underscores that strong password hygiene alone is insufficient to prevent all account compromises. Even with robust password security, users can lose control of their accounts if socially engineered into linking an attacker’s device. Consequently, meticulous verification and regular account audits are crucial defensive measures.
Understanding the GhostPairing Attack Flow
The GhostPairing attack initiates with a social engineering phase, not a technical exploit. Attackers employ various deceptive tactics, such as fraudulent messages, convincing social media posts, or fake support requests, to lure targets. The ultimate goal is to persuade the victim to engage with WhatsApp’s companion-device pairing process on behalf of the attacker, typically by scanning a seemingly innocuous QR code or approving a linking request.
Once the victim approves the new device, the attacker gains persistent, unfettered access to the victim’s WhatsApp chats without ever needing the account password. This makes GhostPairing particularly dangerous as victims may not immediately detect the compromise. Attackers can covertly monitor conversations, gathering intelligence before launching more targeted fraud. A prior WhatsApp device linking scam demonstrated a similar social engineering approach leading to full account access.
With account control, attackers can impersonate the victim to solicit money from contacts, extract sensitive
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.