WhatsApp accounts targeted in ‘GhostPairing’ attack

Another draw is that the app is built on end-to-end encryption (E2EE) privacy in which the private keys used to secure messages are stored on the device itself. This should make it impossible to eavesdrop on private messages without either having physical access to the device or remotely infecting it with malware.

GhostPairing demonstrates that a social engineering attack can bypass this. Interestingly, although still possible, the attack is less practical when asking users to pair via QR codes. That offers some reassurance for users of messaging apps such as Signal, which only allows pairing requests via QR Codes.

Defending WhatsApp

Users can check which devices are paired via WhatsApp via Settings > Linked Devices. A rogue device link will appear here. Despite having access to a user’s WhatsApp account, the attacker can’t revoke their device access, which must be initiated by the primary device. Another tip is to enable two-step PIN verification. This won’t stop the attacker accessing messages but will mean they can’t change the primary email address.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts