Posted inPrivacy Security

Someone Is Watching: How “GhostPairing” Steals Your WhatsApp Session

No Comments

I recently stumbled upon a nasty trick called a GhostPairing attack. It is a total nightmare for privacy, and it is catching a lot of people off guard because it is so simple.

Unlike old-school hacks that try to guess your password, this one tricks you into giving the attacker a “front-row seat” to all your chats using WhatsApp’s own features.

How the Trap Works

Imagine you get a message from a friend. They have already been hacked, but you don’t know that yet. They send a link saying they found a photo of you.

When you click it, you see a page that looks exactly like a Facebook login. It asks for your phone number to “verify your identity” before showing the photo.

The “Pairing” Trick

Here is where the attacker gets clever. They are likely using a Linux machine to manage their sessions, which lets them act fast.

  1. The Handshake: You enter your number on the fake site.
  2. The Request: Behind the scenes, the attacker’s server sends your number to the real WhatsApp Web service.
  3. The Hook: The fake site shows you a pairing code and tells you to “type this into your WhatsApp app to verify.”
  4. The Takeover: When you enter that code in your phone (under Settings > Linked Devices), you aren’t verifying anything.

You are actually authorizing the attacker’s browser to log into your account.

Why This Is Dangerous

The attacker now has a “Ghost” session on your account. They can read your past messages, see your private photos, and even message your family pretending to be you.

  • No Password Needed: It bypasses Two-Factor Authentication because you provided the authorization yourself.
  • Invisible: Your phone keeps working perfectly, so you might not notice for weeks.
  • Trust-Based: Most people click because the message comes from a friend they trust.

How to Stay Safe

I did a quick audit of my own account, and you should too. Here is the checklist:

  • Check Your Linked Devices: Open WhatsApp, go to Settings, then Linked Devices. If you see a browser or session you don’t recognize, tap it and hit Log Out immediately.
  • Never Enter Codes: Never enter a pairing code into your app unless you are the one currently trying to link your own computer.
  • Verify the Source: If a friend sends a suspicious link about “a photo of you,” call them or use another app to ask if they actually sent it.

Give your settings a quick look today and make sure you are the only one in your inbox.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *