The advisory, which carries a 'high' severity rating, said the attack begins when the victim receives a message such as "Hi, check this photo", which can lead to the full 'hijacking' of the user's WhatsApp account. Notably, CERT-In is the country's key technical body responsible for dealing with cyber attacks and protecting India's online space.
According to CERT-In's warning, GhostPairing enables cybercriminals to gain full access to WhatsApp accounts without requiring passwords or SIM card changes.
The method exploits WhatsApp's device-linking feature, allowing attackers to take over accounts by using pairing codes that do not require proper authentication.
Once an account is 'hijacked', attackers use it to send messages to the victim's contacts.
"In a nutshell, the GhostPairing attack tricks users into granting an attacker's browser access as an additional trusted and hidden device by using a pairing code that looks authentic," the agency said in the advisory.
The attack begins with a "Hi, check this photo" message sent by a contact that appears trustworthy. The message includes a link that displays a Facebook-style preview.
When clicked, the link opens a fake Facebook viewer asking users to "verify" their identity to view the content. At this stage, attackers misuse WhatsApp's "link device via phone number" feature by misleading users into entering their phone numbers.
By completing a short and seemingly harmless set of steps, victims unknowingly grant attackers complete access to their WhatsApp accounts. This happens without any password being stolen or any SIM swap, the advisory said.
Once an attacker links their device, they gain access similar to WhatsApp Web:
The advisory suggests several steps to reduce the risk of account compromise or takeovers: