Hacked.com icon

hacked.com

WhatsApp Web Security: Linked Devices, QR Scams, and What to Do

Updated February 27, 2026By Jonas Borchgrevink
WhatsApp Web Vulnerability: How It Was Fixed

WhatsApp Web works by linking your phone to a browser session. That convenience is also the risk: if an attacker can trick you into linking a session, or if your phone or computer is compromised, your messages can be exposed without "hacking WhatsApp" in the Hollywood sense.

Most WhatsApp Web incidents come down to two failure modes: a linked device you did not authorize, or a compromised endpoint that can read what you type and see.

Immediate steps if you suspect WhatsApp Web was linked

  1. Check linked devices and log out unknown sessions. In WhatsApp, review your linked devices list and remove anything you do not recognize. Labels and menus vary by device.
  2. Turn on two-step verification. WhatsApp supports an additional PIN to reduce account takeover risk. MFA basics are covered in two-factor authentication (2FA).
  3. Update WhatsApp and your OS. Security fixes do not help if you do not install them.
  4. Assume the computer matters. If the suspicious session was on a computer you do not trust, treat it as compromised. Scan it and remove untrusted extensions and software.
  5. Watch for social engineering follow-ups. Attackers often pivot to SMS, phone calls, or email to extract codes or get you to approve prompts. See how to avoid SMS text scams and what phishing is.

Do not: Scan a WhatsApp Web QR code shown to you by someone else, or received in a message. Linking a session is functionally granting access.

How WhatsApp Web compromises usually happen

WhatsApp Web does not need a password. It needs a link between your phone and a browser session. That makes the QR code the permission boundary.

Attackers exploit that boundary in three common ways:

  • They trick you into linking a session. A fake support page, an urgent message, or a phone call tells you to scan a QR code to \"verify\" your account.
  • They compromise the computer. Malware or a remote access tool on a laptop can read what you see and type, and can access the linked session once it exists.
  • They compromise the phone. If the phone is compromised, linked-device security does not save you. The phone is still the anchor for account registration and recovery.

This is why WhatsApp Web security is mostly device security and social engineering resistance. The phishing patterns that lead to the QR scan moment are usually the same patterns that show up in email and SMS.

Signals that you should treat as exposure

Most victims do not notice a compromise immediately. Treat these as triggers to check linked devices and lock down the account:

  • Messages you did not send. Especially in group chats or to contacts you rarely message.
  • Unexpected contact additions. New contacts you did not create or business accounts you did not follow.
  • Sudden behavior changes on desktop. Your browser session is active when you did not open it.
  • Follow-on social engineering. Someone asks for codes, PINs, or money after \"verifying\" your account.
What you see Likely cause First response
Unknown linked device QR code linking or physical access Log out the session and enable two-step verification
Linked session reappears Computer compromise or repeated social engineering Clean the computer, remove unknown extensions, then re-link
Multiple accounts compromised Infostealer or remote access tool Use a known-clean device for recovery, scan and isolate the original device
Strange SMS and carrier notifications SIM swap attempt Contact the carrier immediately and secure the carrier account

What happened in the 2015 WhatsApp Web vulnerability

In 2015, Check Point researchers disclosed a WhatsApp Web vulnerability where a crafted contact card (vCard) could lead to code execution on a victim's computer when processed by the web client. WhatsApp patched the issue. The important lesson is not the historical exploit. The lesson is that web clients and desktop sessions are part of your messaging security boundary.

If you want the original technical disclosure and remediation narrative, Check Point's write-up is a primary source: Check Point: WhatsApp Web Vulnerability (2015).

Modern WhatsApp Web risks that still change outcomes

Most current compromises are not from that 2015 bug. They are from predictable patterns that show up in real incidents.

Risk What it looks like What to do
QR code social engineering You are asked to scan a QR code to "verify" or "fix" something Do not scan. Open WhatsApp settings yourself and verify linked devices.
Compromised computer Browser extensions, remote access tools, or malware capture sessions and keystrokes Scan and clean the device, remove unknown extensions, update OS/browser, then re-link WhatsApp Web.
Shoulder-surfing and session persistence Someone has physical access to your unlocked computer or phone Lock devices, sign out of sessions, and avoid linking on shared computers.
Phone compromise Spyware or unwanted apps can read notifications and capture credentials Use how to check if your phone is hacked, then rotate critical account credentials from a known-clean device.
Account takeover adjacent scams Requests for codes, PINs, or money from "support" contacts Never share codes. Verify via official support channels and known contacts.

If your phone number is being hijacked

WhatsApp accounts are anchored to phone numbers. If you lose control of the number, recovery can become a carrier problem first and a WhatsApp problem second.

Signals that your phone number is under attack can include sudden loss of service, unexpected carrier notifications, or new SIM activation messages. In that situation:

  1. Contact the carrier using a known number. Ask about SIM swaps, port-out activity, and account access changes.
  2. Secure the carrier account. Add or reset the carrier PIN and enable account protections the carrier supports.
  3. Regain control of the number. Many WhatsApp recovery steps depend on receiving SMS or calls to that number.
  4. After the number is stable, revisit WhatsApp. Log out unknown linked devices and enable two-step verification.

This is also where many scams happen. Attackers will claim they can \"restore\" your WhatsApp if you pay or share codes. Do not engage. Use official channels only.

Audit the computer that used WhatsApp Web

When WhatsApp Web is involved, the computer is part of the security boundary. If the computer is compromised, an attacker can often regain access even after you log out unknown sessions.

Minimum audit steps that fit most home and small business environments:

  • Review browser extensions. Remove anything you do not recognize or do not actively use. Extension sprawl is a common risk multiplier.
  • Check for remote access tools. If you see software you did not install, treat it as suspect and investigate before you log back in to sensitive accounts.
  • Update OS and browser. Patch the computer before re-linking WhatsApp Web.
  • Separate browsing from privileged sessions. If you can, use a dedicated browser profile for WhatsApp Web and other high-trust sessions.
  • Lock the device. A linked session on an unlocked device is easy to abuse without malware.

Hardening that makes WhatsApp Web boring to attack

  • Link only on devices you control. Avoid public or shared computers for WhatsApp Web.
  • Keep linked devices minimal. Fewer sessions means fewer places to lose control.
  • Update aggressively. WhatsApp, browsers, and OS updates all matter for web-client security.
  • Reduce device compromise risk. Be strict about browser extensions and unsolicited downloads. If multiple accounts are being taken over, suspect an infostealer or remote access tool.
  • Have a recovery path. Know how to regain access to the phone number and device that anchors the account.

What not to do during recovery

  • Do not forward screenshots of chats to unknown \"support\" contacts. Screenshots often contain personal data that can be repurposed for fraud.
  • Do not reuse the compromised device for recovery if malware is plausible. If the computer is compromised, use a known-clean device to reset critical accounts first.
  • Do not treat the linked-device list as a one-time check. Re-check after you secure devices, because attackers sometimes re-link when they still have access.

If you frequently use WhatsApp Web, treat it like a privileged session:

  • Use a dedicated browser profile. Fewer extensions and fewer random logins reduces cross-contamination.
  • Lock the workstation. A linked session on an unlocked computer is effectively an open mailbox.
  • Avoid linking on borrowed devices. Even if you log out, you cannot verify the device is clean.
  • Review linked devices on a cadence. Many compromises persist because no one looks at the linked device list.

Key idea: End-to-end encryption does not protect you from a compromised endpoint. If the device can read the message, so can malware on that device.

WhatsApp publishes general security information here: WhatsApp security.

When WhatsApp Web incidents affect a business

If WhatsApp is used for customer communication, a compromise can become a reputational and fraud issue. Attackers can impersonate staff, request payments, or redirect customers to fake support channels.

Set boundaries before an incident:

  • Separate personal and business use. Use a dedicated business number and restrict who can access it.
  • Define verification rules. Staff should never request codes from customers, and customers should never be asked to pay based on an urgent chat message alone.
  • Limit who can link sessions. Fewer linked devices reduces risk and makes audits easier.

Containment looks like standard account takeover response: revoke sessions, secure the device, notify internal stakeholders, and watch for follow-on fraud attempts. Use what to do if your business or employees are hacked as a baseline sequence.

How to communicate after a suspected compromise

Attackers use compromised messaging accounts to ask for money, extract information, or push people to scam sites. If you believe your WhatsApp was exposed, warn people in a way that reduces follow-on loss.

  • Tell contacts not to trust payment requests. Ask them to verify using a known channel before sending money.
  • Explain the pattern. \"If you get a message asking you to scan a QR code or share a code, it is not me.\"
  • Protect the business brand. If you use WhatsApp for support, publish a simple rule about what your staff will never ask for.

Make WhatsApp Web checks routine

Linked sessions are easy to forget. A short routine reduces long-lived compromises:

  • Monthly: review linked devices and remove anything you do not use.
  • Quarterly: review your devices for extension sprawl and unapproved remote access tools.
  • After travel or device repair: treat it as a trigger to re-check linked sessions.

WhatsApp Web security is not only about WhatsApp.

It is about linked devices and the people who can be pressured into linking them.

If you keep control of linked sessions, keep devices clean, and treat QR codes as high-leverage permission grants, most real-world WhatsApp Web compromises become preventable or containable.