Maikel.pro/blog/

information security & privacy tips

PoC WhatsSpy Public support ending today

Note: attempting to run this from now on might result (eventually) in a ban of your phone number used in the PoC of using WhatsApp. The code has not been updated for over a month now, which results in easier detection by WhatsApp.

In February 2015 I released the Proof of Concept WhatsSpy Public to give people insight in the lack of proper privacy controls within WhatsApp. Some might thought this to be a Grey Hat action, I thought it was the only way to create better awareness about privacy and it's unknown implications.

WhatsSpy Public is considered to be a partly successful project:

  • Provided better awareness about meta-data scraping and the ability to be collected/aggregated and eventually abused.
  • Provided insight in the inner workings (or more like the lack off) of WhatsApp's privacy controls towards the outside.

I was hoping this would also lead to a fix from WhatsApp, but as of now the last-seen privacy problem is still not fixed:

  • As a user you are still not able to control the online/offline visibility.
  • The status can still be requested by any user on WhatsApp (regardless of being considered a contact).

Please note that this PoC only encompassed the privacy exposure to the Internet. The user agreement between Facebook and the user is whole other field of possible privacy problems.

Since media outlets are no longer reporting on this issue, and WhatsApp is refusing to fix it (although they are in clear violation with the EU privacy directive), I decided to stop the maintenance on WhatsSpy Public to prevent low-level abuse. I have received several indications that companies and app makers are attempting to abuse the PoC despite the license explicitly states that is for personal use only (and NO commercial intent).

As of now, no updates for WSP will be published, and the issue section will be closed. The project will stay online for reference, but don't expect it to work any longer (although it still works at the moment!). This problem is yet another reason, to help us convince ourselves that we need to get rid of WhatsApp and come up with a privacy friendly alternative. What that alternative may be, I'm letting you decide for yourself, but let's hope they can resist a takeover from Facebook.

Special thanks to mgp25 for reverse engineering the WhatsApp API (also personal use ONLY).

Maikel Zweerink

Read more posts by this author.

Gelderland, The Netherlands
Load comments (Disqus)