- Attackers hijack WhatsApp accounts by abusing the device linking feature, not by cracking passwords.
- Victims are tricked into approving a pairing code on a fake login page.
- Once linked, attackers gain full access and can impersonate the user silently.
- Checking Linked Devices is the only reliable way to detect and stop this attack.
For two decades I have watched attackers move from brute force tactics to quiet abuse of trusted features. What is happening now on WhatsApp fits that pattern perfectly. No passwords are guessed. No encryption is cracked. Instead, criminals are walking through the front door by convincing users to let them in.
Security researchers are warning about a method commonly referred to as GhostPairing. The name sounds technical, but the idea is simple. WhatsApp allows users to link additional devices such as browsers or secondary phones to the same account. This is a legitimate and useful feature. Attackers are exploiting it by tricking users into approving a device they do not own.
Once approved, the attacker effectively becomes you inside WhatsApp. Messages appear in real time. Media can be downloaded. Replies can be sent that look completely authentic. From the outside, nothing appears broken.
How the attack actually works
The starting point is social engineering, not malware. Victims usually receive a short message that appears to come from someone they know. It might claim to show a photo or a piece of content that naturally sparks curiosity. To make the lure believable, the preview often looks like familiar Facebook content.
When the victim taps the message, they are taken to a fake Facebook login page hosted on a convincing lookalike domain. At this stage, many users assume they have simply been logged out and need to sign in again.
What happens next is the clever part. Instead of capturing a Facebook password, the page triggers WhatsApp’s own device pairing process. The victim is asked to enter their phone number. This alone is enough for the attacker to request a legitimate pairing code from WhatsApp.
The code is then displayed on the fake page with instructions telling the victim to enter it inside WhatsApp. WhatsApp does show a notice explaining that a new device is being linked. Unfortunately, many users skim past this message or misunderstand it, especially if they believe they are completing a routine login.
Once the code is entered, the attacker’s browser is officially linked to the account. No alarms go off. No password was stolen. From WhatsApp’s perspective, the user approved the action.
Why victims rarely notice
This kind of compromise is dangerous because it is quiet. The account continues to work normally on the victim’s phone. Messages still arrive. Nothing crashes. Unless the attacker sends something obvious, there may be no immediate sign of trouble.
Researchers note that many victims remain unaware for weeks. During that time, attackers can read private conversations, harvest sensitive information, impersonate the victim in one to one chats, and spread the same lure to groups and contacts. Trust does the rest of the work for them.
This technique has appeared before on other messaging platforms, which tells us something important. The weakest point is not encryption or authentication. It is human attention during security prompts.
What actually protects you
Despite the sophistication of the trick, detection is straightforward if users know where to look. The only reliable way to spot this type of takeover is by checking the Linked Devices section in WhatsApp settings. Every connected device is listed there.
If you see a browser or device you do not recognize, remove it immediately. This action cuts off the attacker at once.
Additional protections help, but they are not magic shields. Two-factor authentication adds friction for attackers. Reporting suspicious messages helps limit spread. Antivirus tools can flag fake sites. Identity theft services can reduce damage after data exposure. None of these replace user awareness at the moment of approval.
This attack is a reminder that security features are only as strong as our understanding of them. When platforms warn users during sensitive actions, those warnings matter. Skipping them is exactly what attackers count on.
Follow TechBSB For More Updates
