Just a few weeks after WhatsApp was found to be flashing photos that users weren’t supposed to see, we’ve got another privacy glitch: this time, it looks like changing your privacy settings doesn’t stop people from tracking your status and any changes you’ve made to profile photos, status messages and settings.
This bug, actually, isn’t new. It was reported to WhatsApp as early as September 2014.
Now, Dutch student Maikel Zweerink has cooked up an app to illustrate WhatsApp’s weaknesses.
Zweerink’s web-based tool, WhatsSpy Public, tracks any WhatsApp user you choose to follow.
He says it’s a proof of how “broken” WhatsApp privacy options are:
It just started out as experimenting with WhatsApp to build a bot, but I was stunned when I realized someone could abuse this "online" feature of WhatsApp to track anyone's online status. I could just say this in like a blog article (like I tried but got marked as spam) that the privacy options are broken, but you wouldn't realize the impact it actually has.
Would-be snoopers don’t actually have to be WhatsApp users to exploit the bug.
All you have to do to retrieve the online status of any telephone number is to add it to contacts and open a chat window, without alerting the phone number owner or asking for his or her permission.
Zweerink explains that he released the tool on 7 February to visualize the following properties of any phone number that uses WhatsApp:
- Online/Offline status (even with privacy options set to “Nobody”)
- Profile pictures (only when privacy is set to “Everyone”, which is the default)
- Status messages (only when privacy is set to “Everyone”, which is the default)
- Privacy settings
Users can edit who sees the options “last seen”, “profile photo” and “status”, setting the options to “Everyone”, “My Contacts” or “Nobody”.
You would think that setting all three options to “Nobody” would keep you pretty private, but it actually doesn’t stop the following “online” message from showing up in WhatsApp:
That “online” status message is actually a subscription service, Zweerink says, and it’s not limited to one person; in fact, he says, a snooper could try to subscribe to any and all WhatsApp users, and “WhatsApp should just happily return this information.”
(Though his tool couldn’t handle the load, he notes.)
That’s a lot of blown privacy, Zweerink says (all sic):
Some random person could just try to subscribe to all WhatsApp users and retrieve their online/offline status. Meanwhile, a lot of WhatsApp users (like myself) would thought my privacy was protected by these options! Imagine selling this information for marketing purposes, this just creeps me out. I don’t want to retrieve a coupon on some drug that makes me sleep better, definitely not from any unknown party!
Of course privacy is already a heavily discussed topic at Facebook and WhatsApp, but now when a complete stranger can know when I wake up is going way too far if you ask me...
WhatsApp has been contacted about this issue by a long list of publications, but Zweerink says so far there hasn’t been a peep about it from the company.Follow @NakedSecurity
UPDATE 18 February: A spokesperson for WhatsApp says that this is a “non-story”. It’s not a flaw, the company says; it’s by design:
This is not a "hack" or "security flaw" of WhastApp. It appears he made an app that just monitors information he would have access to anyway.
"Last seen" and "online" are different. You can choose to not let people see "last seen" and, as the author admits in his blog post, that setting is respected based on your preference (same for profile photo). Online/offline is always visible.
So in essence he built a program that just records and monitors information he has access to anyway. I also assume this would only be for people who he has in his contact list so these are people he knows anyway.
Zweerink agrees: this isn’t a “hack” or “exploit”, but that still doesn’t fix the fact that WhatsApp’s privacy options don’t protect users from privacy invasion, he said:
As a user you are fooled to believe there are these nice privacy options which protect you against all privacy invasive things, but in fact they don't. And you don't have any control over who to share your online/offline status with on WhatsApp, because any stranger can listen for them.
He’s still hoping his tool raises awareness, though:
To be honest; this is exactly the kind of response I feared for, because when the earlier research showed the privacy flaw they did not do anything about it. And I'm still hoping to raise awareness and do something about it. The awareness part is working well, and I'm trying my best to make it into a awareness campaign for privacy on the internet and try to let WhatsApp fix this.