Status of the WhatsApp privacy problem

Status of the WhatsApp privacy problem

About two months ago I released WhatsSpy Public to prove that WhatsApp, six months after the first discovery still did not fix the privacy problem where a random user can access any online/offline status of a WhatsApp user with only the knowledge of their phonenumber.

It got quite a lot of media attention, up to the point I needed to disable most services on my server to keep it online. View here all publications (incomplete).

Contact with WhatsApp

At the release various news websites (Wired, The Register, Sophos) contacted WhatsApp for a repsone, only Sophos got an actual response. I quote from the spokesman of WhatsApp that responded to Sophos:

So in essence he built a program that just records and monitors information he has access to anyway. I also assume this would only be for people who he has in his contact list so these are people he knows anyway.

The one response that came from WhatsApp was with a wrong assumption and looks like they tried to dig this problem into the ground. The one response acts like this all is normal, meanwhile other messaging services like Telegram and Hangouts protected against this public privacy problem where anyone can request your online/offline status. These services block any (meta-)information from leaking to a complete stranger on their service, meanwhile WhatsApp acts like this spying is just part of their service.

After this I contacted WhatsApp myself, but got never an awnser. I reported it via their Ticketing system (which is pretty annoying by the way) and directly to their spokesman, but after all these weeks still no luck.

WhatsSpy Public Usage

As of writing, the minimal installations that are currently active is a whopping >47.300 active WhatsSpy Public installations. This is based on the requests executed to check if there is a new version available grouped by IP address of the last 7 days (!). The real number of installations can be in fact much higher (multiple instances running on the same IP or instances that have been used more than 7 days ago).

A rather interesting fact is that Germany is one of the top users of the PoC with a close to 30% compared to the rest of the world. 71% of all installations run on 1.4.0 or higher and the amount of extra installations skyrockted this week, because of the fully explained guide and Raspberry Pi image which seems to be much easier to setup.

The following image shows in which countries atleast 25 instances are running:

All the countries that requested the version

So what now?

The WhatsSpy Public PoC can be a great tool to show your friends that WhatsApp is not really an ideal choice for a privacy friendly messenger (and now we are only speaking about information leakage to the outside).

WhatsApp might even fix this silently, which I think is somewhat childish behaviour but atleast it got fixed that way! We will need to see what the future will bring, I really hope they fix it. With the implementation of TextSecure (a method to keep your message content private for WhatsApp) on the way it could be a more privacy friendly messenger in the future, but if it fails to fix these problems there will be enough alternatives.