New Delhi, December 20, 2025: India’s cyber security agency CERT-In has issued a high-risk alert over a newly identified vulnerability in WhatsApp’s “device-linking” feature that could allow attackers to gain complete control of user accounts, including access to messages, photos and videos in real time through WhatsApp Web.
In an advisory released on Friday, the Indian Computer Emergency Response Team (CERT-In) named the threat “GhostPairing”, warning that cybercriminals are exploiting WhatsApp’s device-linking mechanism to hijack accounts using pairing codes without any authentication safeguards.
According to the agency, the attack does not require passwords, SIM swaps or direct access to the victim’s phone. Instead, attackers trick users into unknowingly linking a malicious browser as a trusted device, giving hackers near-total access to the account.
CERT-In said the attack typically begins with victims receiving a message such as “Hi, check this photo” from what appears to be a trusted contact. The message contains a link with a familiar social media-style preview. Clicking the link redirects users to a fake Facebook viewer that prompts them to “verify” their identity to access the content.
During this process, users are deceived into entering their phone numbers on external websites posing as WhatsApp or Facebook services. Attackers then misuse WhatsApp’s “link device via phone number” option, enabling them to secretly pair their browser to the victim’s account.
Once linked, the attacker gains access similar to that of the legitimate user on WhatsApp Web. This includes reading synced messages, receiving new chats in real time, viewing photos, videos and voice notes, and even sending messages to contacts and group chats.
CERT-In cautioned that the linked malicious device remains hidden, making it difficult for victims to detect the breach immediately. The agency has advised users to avoid clicking suspicious links, even if they appear to come from known contacts, and to never enter phone numbers on external sites claiming to offer WhatsApp or Facebook verification.
A response from WhatsApp on the advisory is awaited. CERT-In is India’s national agency responsible for responding to cyber security incidents and safeguarding the country’s digital infrastructure.
