WhatsApp Privacy problem explained in detail

WhatsApp Privacy problem explained in detail

Introduction to WhatsSpy Public (not to confuse with WhatsSpy)? | WhatsSpy Public Project page

I released a tool this Saturday, which will give you some insight of what a “hacker” (or in fact any stranger with some programming knowledge) can conclude of your WhatsApp behavior. This tool visualizes the following properties of any phone number that uses WhatsApp:

  • Online/Offline status (even with privacy options set to "nobody")
  • Profile pictures*
  • Status messages*
  • Privacy settings

* only if privacy option is set to "everyone" (set by default)

First some back story:

You have these privacy options in WhatsApp:

You can edit any of these three options (“last seen”, “profile photo” and “status”) and choose between “Everyone”, “My Contacts” and “Nobody”. You might think, well I put all options to nobody and I’m privacy-wise safe to go! But there is a catch, a pretty big one:

Even when you’ve set all options to “nobody” you can’t prevent the following message from showing up in WhatsApp (note the online message):

You might think, well it’s a contact of mine, I willing to let him know that. But again, there is a catch: these events can be followed by everyone on WhatsApp.

So back to “What is WhatsSpy Public”. Well it’s just a Proof of Concept of how broken this design actually is. It acts like a normal WhatsApp application to the servers of WhatsApp. But once logged in it starts doing other things.

The message “online” mentioned above is in fact a subscriber service (you tell the server you want any updates about the offline or online status of this person and the server sends updates if they occur). This subscription system is not limited to one person either. You can basically try to subscribe to all WhatsApp users out there in the world, and WhatsApp should just happily return this information. Not that my Proof of Concept could handle it, it’s just to give the WhatsApp user some insight of what is actually is going on.

If not done already, some random person could just try to subscribe to all WhatsApp users and retrieve their online/offline status meanwhile a lot of WhatsApp users (like myself) would thought my privacy was protected by these options! Imagine selling this information for marketing purposes, this just creeps me out. I don’t want to retrieve a coupon on some drug that makes me sleep better, definitely not from some stranger (beside WhatsApp themselves)!

Of course privacy is already a heavily discussed topic at Facebook and WhatsApp, but now when a complete stranger can know when I wake up is going way too far if you ask me…

How does WhatsSpy Public work?

As told before, WhatsSpy Public acts like a WhatsApp clients to the WhatsApp servers. But once logged in it starts doing privacy invasive things. By abusing the protocol it listens for any updates from any users you added to WhatsSpy Public. This is a problem by design and need to be fixed.

WhatsSpy Public is in fact a regular web-application (it runs on a server or “the cloud”) and the tracker itself is just a PHP (programming language) based script.

The requirements mention a jailbroken iPhone, rooted Android phone, or using WART but this is just to retrieve a secret code used in WhatsApp to communicate between the client (your application on your phone) and the server (somewhere in a big data center). This secret links a phonenumber to an WhatsApp client. This secret code is used in WhatsSpy public to act like it’s a normal WhatsApp client. This iPhone or Android phone needs to be jailbroken/rooted because you need the secret which is stored at a safe location, protected by the Operating System (iOS, Android).

As a programmer with some knowledge of PHP (programming language) and PostgreSQL (database in which you store things) you can set up WhatsSpy Public in a matter of minutes. Imagine the following activities (just to give you an idea):

  • Retrieving the secret from your mobile phone or WART (10 minutes).
  • Installing WhatsSpy Public on your server (20 minutes).
  • Setting up the database (5 minutes).
  • Adding users (5 minutes).
  • Starting the tracker (5 minutes).

In the "getting started" is also mentioned that you need a second WhatsApp account. The primary reason for this requirement is because you cannot use both the tracker and the WhatsApp application on your phone at the same time. In this case there is a chance that messages will be sent to the tracker and because WhatsApp only sends messages once they will be gone.

What needs to be clarified

Privacy options for “status message” and “profile picture” and “last seen” do in fact work. But the troubling part is here that the scope of “last seen” is very limited. It indeed blocks any user from accessing the last seen status, but it does not block the online/offline subscriber service. This might give you the thought you have full control over your WhatsApp status but in fact you really don’t. Privacy is the right to control over who can receive what, and due to this serious issue you really can’t anymore. And this PoC only addresses some stranger accessing your online/offline status, not even WhatsApp or Facebook themselves capturing your online/offline information.

Figure 1 - The privacy option "last seen" does not cover the online/offline subscriber service (the "online" message in the chat header)

I hope this makes it clear.

What is my message with this PoC?

All I want you to realize is the fact that despite the given privacy options, you are still traceable on WhatsApp, by any unknown person that happens to follow you. Of course WhatsApp had privacy problems before and I understand using this service, WhatsApp maybe use my information meanwhile I do not really agree with that. But some stranger with somewhat programming skills following my every move without me even knowing about it? This creeps me out and I want it fixed, now.

The other point I’m trying to make: since more and more information is not stored under your control, you need to watch out with what you actually do in this digital age. The Proof of Concept also tracks “status messages” and “profile pictures” but at least these options are covered by the privacy options within WhatsApp. You need to be aware that all this information and its history is stored at WhatsApp, but is also by standard publicly available. I made a complete application for you to understand, but it could just as well be making a screenshot of your profile picture, it results in the same privacy issue. This is not only the case for WhatsApp but also for any other publicly available service on the internet.

What does WhatsApp need to do? My opinion:

WhatsApp makes two big mistakes:

  • Any stranger can retrieve events of your online/offline status in WhatsApp.
  • You have privacy options in WhatsApp but they are misleading and provide no option to disable point 1.

I think they need to address this by:

  • Replace the “last seen” privacy option with an “online/offline status” option which both disables the last seen message and the ability to view if someone is online (in WhatsApp these two things are different, as explained above).
  • Set all privacy options by default to “nobody” and notify users about the consequence of setting these options to “contacts” or “everyone”.

Many news sources confirm they have contacted WhatsApp and I hope they fix this problem as quick as possible. And as it turns out the "online" feature in WhatsApp is known to be causing problems before:

WhatsApp is aware of this problem for 6+ months now and they didn't undertake any action! Let's see if we can fix this by raising the awereness (and awareness of privacy on the internet in general). There was contact between various news sites and me to WhatsApp but they did not react or gave a meaningless response.

Maikel Zweerink - Radboud University student - Computing Security