WhatsApp privacy is broken!

WhatsApp privacy is broken!

So there is this menu called "privacy" in WhatsApp. Here you can edit your "last seen", "profile picture" and "status" privacy options. You may think now that you've set all options to "nobody" you are privacy-wise safe. But nevertheless I can still track your moves on Whatsapp.

WhatsSpy Public

WhatsSpy Public is an web-oriented application that tracks every move of whoever you like to follow. This application is setup as an Proof of Concept that WhatsApp is broken in terms of privacy.

It tracks the following properties of any WhatsApp user:

  • Online/Offline status (even with privacy options set to "nobody")
  • Profile pictures*
  • Status messages*
  • Privacy settings

* only if privacy option is set to "everyone" (set by default)

It tracks any change of profile pictures, privacy settings or statusses. This tool provides a simple GUI to view a timeline of an user or even compare it to another tracked user. You can track anyone on WhatsApp, only with the knowledge of their phonenumber.

Just an example of what WhatsSpy public actually knows about you, click here for more screenshots.

This project has become opensource on Gitlab. You can run WhatsSpy Public yourself but you need a computer that is online 24/7 and some IT knowledge. Go to the project page to learn more.

What is going on, privacy wise?

There is this thing on WhatsApp, when lets say Alice looks at her conversation with Bob, and Bob is online there comes a notification which says: Current status: Online.

You may disable "last seen", "profile picture" and "status" but this won't disable this "online" message from showing up. An ever bigger problem is that anyone on WhatsApp can request this "online" message. Obviously a lot of people won't know this still happens, thus creating a pretty broken privacy setting. Due to this feature WhatsSpy Public can track anyone, despite their privacy settings..

Why is the privacy broken?

Privacy is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. - http://en.wikipedia.org/wiki/Privacy

The privacy options in WhatsApp act like they give you full control over your status in WhatsApp meanwhile they only affect a very limited scope. Sure, the "lastseen", "profile picture" and "status message" privacy options do work, but probably not as the user intented it to. By setting the "last seen" privacy option to "nobody" you think no one can view if you're online but this is not the case. What is even worse, that these "online" and "offline" events can be followed by anyone. The ability for an complete stranger to follow your in-app status is pretty creepy and might be abused already. This is not an "hack" or "exploit" but it's broken by design.

Learn more about the exact problem and how WhatsSpy Public abuses it.

Read here about the latest status updates.