Hyderabad: The Hyderabad commissioner of police VC Sajjanar on Sunday, December 21 warned against “Ghost pairing” on WhatsApp.
Ghost pairing exploits the app’s device-linking feature to gain full access to a victim’s account without needing a password, an OTP, or a physical SIM swap. Hyderabad police commissioner took to X
“If you receive a message saying, “Hey, I just found your photo” with a link. Do not click it, even if it appears to come from someone you know,” he said.
On clicking the link, users are led to a fake webpage that mimics the official Facebook or WhatsApp Web interface, prompting them to “verify” their identity before viewing the content. This step triggers WhatsApp’s official device-pairing process, allowing the attacker to gain full WhatsApp web access, Sajjanar explained.
Instead of breaking WhatsApp’s security, GhostPairing relies entirely on social engineering. “Victims are conned into approving the attacker’s device themselves, making the attack both effective and difficult to detect,” said a cyber security expert.
After the account is compromised, scammers use it to send the same malicious links to the victim’s contacts and group chats. “Messages coming from known people are far more likely to be clicked, allowing the scam to propagate quickly without mass spam or obvious red flags,” point out the cyber security experts.
To stay safe, users must regularly check WhatsApp’s Linked Devices section and remove any unfamiliar sessions. Any message to enter pairing codes, scan QR codes, or “verify” accounts through external websites should be treated with suspicion.
