WhatsApp device linking abused in account hijacking attacks

Published:

17 december 2025 om 19:14:30

Alert date:

17 december 2025 om 20:02:12

Source:

bleepingcomputer.com

Email & Messaging, Identity & Access

Threat actors are exploiting WhatsApp's legitimate device-linking feature to hijack user accounts through pairing codes in a campaign called GhostPairing. The attack abuses the platform's multi-device functionality by tricking users into sharing pairing codes, allowing attackers to link their devices to victims' WhatsApp accounts. This enables unauthorized access to messages, contacts, and other sensitive information. The campaign represents an active exploitation of a legitimate feature for malicious purposes, posing significant privacy and security risks to WhatsApp users worldwide.

Technical details

The GhostPairing attack abuses WhatsApp's legitimate device-linking feature to hijack accounts without authentication. Attackers send messages from compromised accounts containing links to fake Facebook pages. These pages request phone numbers and display WhatsApp pairing codes, tricking victims into linking the attacker's browser to their WhatsApp account. Once linked, attackers gain full access to conversation history, shared media, and can send messages to contacts. The attack uses typosquatted domains and Facebook content previews to appear legitimate. WhatsApp Web provides real-time access to new messages and media download capabilities.

Mitigation steps:

Check Settings → Linked Devices for unauthorized devices linked to your account. Block and report suspicious messages. Activate two-factor authentication. Take time to analyze received messages before taking action. Verify if contacts are genuine before clicking links. Remove any unauthorized linked devices immediately.

Affected products:

WhatsApp
WhatsApp Web