Technology & Science
India Issues High-Severity ‘GhostPairing’ Warning on WhatsApp Device-Linking Hijack
On 19-21 Dec 2025, CERT-In and Hyderabad police publicly flagged a new “GhostPairing” exploit that lets attackers gain full control of WhatsApp accounts via the Linked-Devices feature—no OTP, SIM swap, or password required.
Focusing Facts
- CERT-In’s 19 Dec 2025 bulletin rates GhostPairing “High” severity and cites abuse of the “link device via phone number” workflow to seize accounts.
- Hyderabad Police Commissioner V.C. Sajjanar posted an alert on X on 21 Dec 2025 warning users to ignore messages such as “Hey, I just found your photo” and to audit their Linked Devices list.
- The scam re-uses legitimate 8-digit pairing codes or live QR codes, so victims receive no new-login OTP and attackers remain undetected for days or weeks.
Context
GhostPairing echoes the 2016 “Google Docs” phishing wave—when a convincing link silently granted OAuth access to millions—showing that the most dangerous hacks weaponise official workflows, not break them. It also recalls 2019’s Pegasus controversy, where WhatsApp’s very strength (ubiquity and rich APIs) became an entry point for surveillance. Over the last decade, messaging apps have layered convenience features (multi-device, phone-number logins) faster than they have re-imagined threat models; social-engineering campaigns now scale globally in hours, exploiting network trust rather than code flaws. India, with the world’s largest WhatsApp user base and an aggressive “Digital Nagrik” push, sits at the fault-line: each breach erodes public confidence in end-to-end encryption and nudges regulators toward tighter oversight of foreign tech. On a century horizon, the episode is a small but telling datapoint in the battle between usability and sovereignty in digital communications—showing that identity verification, not encryption, may be the weakest link in mass-adopted secure messaging.
Perspectives
Mainstream national news outlets
Mainstream national news outlets — They report that CERT-In has discovered a critical technical flaw in WhatsApp’s device-linking system that lets attackers seize full control of accounts, labelling GhostPairing a “high-severity” vulnerability. Headlines stress catastrophic takeover and keep repeating the “complete control” line, boosting urgency and clicks while quoting CERT verbatim and omitting WhatsApp’s unrebutted side.
Hyderabad-based local press and police advisories
Hyderabad-based local press and police advisories — Coverage frames GhostPairing primarily as a social-engineering scam in which victims themselves authorise an attacker’s device, so staying safe is largely a matter of personal caution. By centring user gullibility and local policing advice, the reports downplay structural security weaknesses in WhatsApp and showcase the police commissioner’s public-safety role.
Business and financial newspapers
Business and financial newspapers — Articles argue the breach proves WhatsApp is becoming unsafe and suggest users consider migrating to rival home-grown messaging apps that market stronger privacy. Linking the exploit to the growth ambitions of domestic competitors lets business desks weave a pro-switch narrative that may overstate the exploit’s scope to favour alternative platforms.