Instead of exploiting software flaws, GhostPairing relies on social engineering and tricks users into approving a malicious device themselves.
GhostPairing is said to be highlighting broader risks in device-pairing systems used across many apps
Photo Credit: Pixabay
A new WhatsApp account takeover technique that abuses the app's legitimate device-linking feature has been discovered by a cybersecurity firm. The campaign, dubbed GhostPairing, allows attackers to gain full access to a victim's WhatsApp account without stealing passwords, SIM cards, or authentication codes. Instead of exploiting software flaws, the attack relies on social engineering and tricks users into approving a malicious device themselves. The method is said to be difficult to detect, spreads quickly through trusted contacts, and highlights serious risks in how device-pairing features are currently designed and understood by users.
According to a report by cybersecurity firm Gen Digital, the attack begins with a brief message sent from a trusted contact, often saying something like “Hey, I just found your photo!” The message includes a link that appears as a Facebook-style preview inside WhatsApp. Clicking the link leads users to a fake webpage designed to look like a Facebook photo viewer, which asks them to “verify” before viewing the content.
The verification step does not involve Facebook at all. Instead, the page quietly triggers WhatsApp's official device-pairing process. Victims are asked to enter their phone number, after which WhatsApp generates a numeric pairing code. The fake page then instructs users to enter this code inside WhatsApp, making it appear like a routine security check.
The report explained that by entering the code, users unknowingly approve the attacker's browser as a linked device. This gives attackers full WhatsApp Web access, allowing them to read conversations, receive new messages in real time, download media, and send messages as the victim. The phone continues to work normally, making the compromise difficult to notice.
The campaign was first observed in Czechia, but Gen Digital warned that it can spread easily across regions. Compromised accounts are used to send the same lure to contacts and group chats, allowing the attack to grow through existing trust networks rather than mass spam.
Researchers in the report noted that the method does not bypass encryption or exploit software flaws. Instead, it relies on social engineering and legitimate features working as designed. The report added that this makes the attack particularly concerning, as linked devices remain active until users manually remove them.
To stay safe, users are advised to regularly check WhatsApp's Settings > Linked Devices section and remove any unfamiliar sessions. The researchers also recommended treating any request to scan QR codes or enter pairing numbers from websites as suspicious, enabling two-step verification, and taking time to verify unexpected messages, even when they come from known contacts.
GhostPairing is said to be highlighting broader risks in device-pairing systems used across many apps. While convenience is a key feature, the report said clearer warnings, better context around pairing requests, and stronger controls could help reduce abuse.
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.