WhatsApp accounts targeted in ‘GhostPairing’ attack

A warning for WhatsApp users: cybercriminals have discovered an alarmingly simple way to access a user’s conversations in real time by manipulating the app’s device pairing or linking routine.

Termed ‘GhostPairing’ by researchers at security company Gen Digital (owner of Norton, Avast, Avira, and AVG), no passwords or account details are needed to execute the attack, which was recently detected in Czechia.

All the attacker has to do is persuade a user to click on a malicious link sent to them as a WhatsApp message purporting to reveal a Facebook photo.

In the most common variant of the attack, this throws up a fake page which asks the user to verify themselves by entering their mobile number. This number is then forwarded by the attackers to WhatsApp to initiate the ‘link device via phone number’ feature which adds new devices to an account.

WhatsApp generates an 8-digit pairing code, which is intercepted and forwarded to the user. The user, who sees a new pairing prompt in WhatsApp, enters this code to confirm the pairing. Unfortunately, this adds the attacker’s browser session as a ‘trusted device.’

Unless the user becomes suspicious, it’s game over: the attacker now has full access to their account, messages, and message history, as well as the ability to view messages as they are sent and received.

“After their device is linked, the attacker does not need to exploit anything else. They have the same capabilities that any user has when connecting WhatsApp Web on their own computer,” said Gen Digital’s researchers. “Everything happens inside the boundaries of the feature set that WhatsApp intended.”

Worse, the attackers can also send messages that impersonate the user to spread the campaign to the victim’s contacts and WhatsApp groups.

E2EE bypass

GhostPairing is an example of an attack that exploits one of WhatsApp’s biggest draws: signing up, connecting to other users, and adding up to four additional devices to an account is incredibly convenient. It’s one reason why WhatsApp has become so popular. All users need to join is a phone number, with no username or password to remember.

Another draw is that the app is built on end-to-end encryption (E2EE) privacy in which the private keys used to secure messages are stored on the device itself. This should make it impossible to eavesdrop on private messages without either having physical access to the device or remotely infecting it with malware.

GhostPairing demonstrates that a social engineering attack can bypass this. Interestingly, although still possible, the attack is less practical when asking users to pair via QR codes. That offers some reassurance for users of messaging apps such as Signal, which only allows pairing requests via QR Codes.

Defending WhatsApp

Users can check which devices are paired via WhatsApp via Settings > Linked Devices. A rogue device link will appear here. Despite having access to a user’s WhatsApp account, the attacker can’t revoke their device access, which must be initiated by the primary device. Another tip is to enable two-step PIN verification. This won’t stop the attacker accessing messages but will mean they can’t change the primary email address.

The threat to enterprises is that large numbers of employees use WhatsApp as well as communicating in larger employee discussion groups. The risk is that many of these won’t be documented and will therefore be overlooked by security teams.

The recommendation is to assume that multiple groups do exist and educate users to report suspicious phishing or spam from unknown numbers. The message should be clear: WhatsApp messaging might look private, but the app itself has gaps that attackers can exploit.

GhostPairing comes only weeks after university researchers uncovered a major WhatsApp flaw that allowed them to discover the mobile numbers of the app’s 3.5 billion global user base. Earlier this year, Meta discovered a weakness in the WhatsApp Desktop app that could be used to target Windows users.

And it’s not only WhatsApp; researchers recently uncovered a hack affecting the company that created a modified version of Signal for use by senior US politicians.

This article first appeared on CSOonline.com.