Add thelocalreport.in As A Trusted Source
Hackers have figured out how to hijack WhatsApp Account without cracking the messaging app’s encryption, security researchers have warned.
The so-called ghostpairing scam takes advantage of legitimate features to deceive WhatsApp Linking users’ accounts to a device controlled by an attacker, giving them real-time access to messages, photos, videos and voice notes.
Once in control of an account, the hacker can send messages to the victim’s contacts to carry out further hijacking attacks.
The exploit works by sending the target a message that appears to come from a trusted contact.
A link within the message, which typically claims to show a photo of the user, takes the victim to a fake Facebook login page that prompts them to enter their phone number.
Instead of showing a photo, the page triggers WhatsApp’s device-pairing feature by showing a code that the victim is instructed to enter into the app.
This inadvertently authorizes an unknown device to be linked to the account, giving the attacker full access without requiring a password or other authentication credentials.
This scam was exposed by researchers Cyber security Firm Avast, which warned that the attack is particularly worrying because it creates a “snowball effect” that allows it to spread rapidly.
“This campaign highlights the growing dynamics of cyber crime: breaking people’s trust is just as important as breaking their security systems,” said Luis Corones, security evangelist at Avast. Independent,
“Scammers are persuading people to grant access to themselves by abusing familiar mechanisms like QR codes, pairing prompts and ‘verify on your phone’ screens that seem routine.
“Scams like ghostpairing turn trust into a tool for abuse. This isn’t just a WhatsApp issue. This is a warning sign for any platform that relies on fast, low-visibility device pairing.”
one in blog post Detailing the scam, Avast said people could be victims of a hijacking attack without even realizing it.
WhatsApp users can check which devices have access to their account by going to Settings and selecting ‘Linked Devices’. Any equipment that is not recognized should be removed immediately.
Independent WhatsApp has been reached for comment.
“At Avast, we see this as a turning point in the way we think about authentication and user intent,” Mr. Corones said.
“As attacks become more manipulative, security must pay attention not only to what users are intentionally doing, but also to what they are being tricked into doing. Ghostpairing shows that when trust becomes automated, it becomes exploitable.”