Have you ever received a WhatsApp message from a friend asking you to check out a photo? That innocent-looking link might give attackers complete access to your conversations-no password required.
Security researchers recently discovered an attack called "GhostPairing" that exploits a legitimate WhatsApp feature we all use: linking devices to our account. If you had ignored the unexpected link and verified with your contact through another channel, this attack would have failed.
Here's how it works. An attacker sends you a WhatsApp message with a link claiming to show a Facebook photo. Click it, and you land on a fake page asking you to verify your mobile number. Once you enter it, the attacker initiates WhatsApp's device linking feature on their end. WhatsApp then sends you an 8-digit pairing code. You see a legitimate-looking pairing prompt in your app, enter the code thinking you're verifying something innocent, and suddenly the attacker's browser becomes a trusted device on your account.
For those of us in title insurance and real estate, consider how often sensitive transaction details flow through WhatsApp. Client communications, wire instructions discussed informally, or internal team chats are all potentially visible to people who shouldn't see them. Imagine this scenario: A real estate agent sends a client a message containing wire instructions for a substantial transaction. The attacker, having hijacked the account, views the message in real-time. Without the client's knowledge, they alter the details to reroute the funds to their own account, resulting in a significant financial loss. The attacker can see everything a linked device normally sees.
What makes this attack concerning is that it works entirely within WhatsApp's intended functionality. The attacker doesn't need to hack anything or steal your password. Once paired, they have full access to your messages and message history, and can watch conversations unfold in real time. They can even send messages as you, potentially spreading the scam to your contacts and group chats.
The good news? Detection is straightforward, and the attacker cannot lock you out. Only your primary device can remove linked devices. If you find an unknown device linked to your account, remove it immediately.
Takeaways:
- Check your linked devices regularly. Go to WhatsApp Settings > Linked Devices. If you see a device you don't recognize, remove it immediately.
- Never enter verification codes you didn't request. If WhatsApp suddenly asks you to enter a pairing code and you weren't actively trying to link a new device, stop. Something is wrong.
- Verify suspicious messages through another channel. If a contact sends you an unexpected link asking you to do something, call them or text them separately to confirm.
- Enable two-step PIN verification. While this won't prevent message access if you're already compromised, it stops attackers from changing your account's email address.
------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------