According to TechRepublic, cybersecurity researchers at Gen Digital have uncovered a new “GhostPairing” attack that silently links an attacker’s device to a victim’s WhatsApp account. The technique exploits WhatsApp’s legitimate feature that allows users to connect up to four devices, like browsers or desktops, to a single account. The attack starts with a victim clicking a malicious link, often disguised as a Facebook photo share, which steals their WhatsApp-linked phone number. Hackers then use that number to initiate a device pairing, tricking the user into entering a code that grants the attacker full, ongoing access. The attackers typically lie dormant, monitoring chats to gather personal information for future impersonation, blackmail, or targeting the victim’s contacts. Crucially, this happens without locking the user out or triggering any obvious security alerts, making it extremely difficult to detect.
Why this is so insidious
Here’s the thing: this isn’t a fancy zero-day exploit. It’s not about breaking encryption or finding a software bug. It’s about abusing a perfectly normal, user-friendly feature. WhatsApp‘s multi-device setup is great for convenience, but GhostPairing shows how a slick feature can become a major liability. The attackers are basically using the front door, and the victim is handing them the key without realizing it. And because they don’t take over the account or send weird messages, the victim has no reason to check their linked devices. They could be spied on for months. That’s the scary part. It turns a platform praised for its security into a silent surveillance tool.
The broader landscape of social hacks
So what does this mean for the security landscape? It reinforces a brutal truth: the weakest link is almost always us. Companies can build fortresses, but if someone can talk their way past the guard, it’s all for nothing. This attack, detailed further by Malwarebytes, is a masterclass in social engineering. It preys on curiosity (“I found your photo!”) and uses the trusted brands of Facebook and WhatsApp as camouflage. In a world obsessed with AI-powered cyberattacks, sometimes the oldest tricks are the most effective. It’s a reminder that user education isn’t a secondary concern—it’s the primary defense.
How to protect yourself right now
Look, the advice sounds simple, but it’s vital. Never click unsolicited links. Seriously. Hover over them first. But the most important step? Check your linked devices. Right now. On your phone, go into WhatsApp Settings, then “Linked Devices,” and review everything. If you see a device you don’t recognize, log it out immediately. That’s your kill switch. Since WhatsApp limits you to four linked devices, attackers hitting that limit might also trigger an error, but why wait for that? Make it a habit. And if you do get hit, tell your contacts immediately. This isn’t just about your security; it’s about stopping the chain. Basically, trust your gut. If a message feels off, it probably is.
