New GhostPairing Attack Enables Full WhatsApp Account Access Using Only a Phone Number
Cybersecurity researchers have uncovered a new WhatsApp account takeover campaign, dubbed GhostPairing, which allows attackers to gain full access to user accounts without stealing passwords or exploiting software vulnerabilities.
The attack relies entirely on social engineering and the legitimate device-linking functionality built into WhatsApp.
How the GhostPairing attack works
Victims receive lure messages — often from already compromised contacts — claiming that a photo or file has been found. The message contains a link leading to a fake Facebook-styled page requesting verification.
After the victim enters their phone number, the attacker abuses WhatsApp’s official device pairing flow, tricking the user into approving an unauthorized device by entering a numeric pairing code.
From the victim’s perspective, this process looks identical to normal verification. In reality, the attacker silently links their own browser or device to the victim’s account.
Why this attack is particularly dangerous
Once paired, attackers gain persistent and invisible access to:
historical chat data
real-time messages
media files and documents
sensitive personal or business information
Because the victim remains logged in, the compromise can go undetected for long periods. Compromised accounts are then used to spread the attack further.
DIAMATIX Perspective
GhostPairing highlights the growing risk of identity-centric attacks where trust is exploited rather than technology.
It reinforces a critical lesson:
Security controls fail when users are manipulated into authorizing malicious actions themselves.
Organizations must treat messaging platforms as part of their security surface, with awareness, policies, and monitoring aligned accordingly.
Protection recommendations
Regularly review Linked Devices in WhatsApp
Remove unknown sessions immediately
Never enter pairing codes based on external instructions
Enable Two-Step Verification
Be cautious with urgent or emotionally framed messages
Sources:
Gen Digital Research
BleepingComputer
The Hacker News
Trusted · Innovative · Vigilant
