WhatsApp spy tool lets anyone track when you're online

[anuseems]

Just a few weeks after WhatsApp was found to be flashing photos that users weren't supposed to see, we've got another privacy glitch: this time, it looks like changing your privacy settings doesn't stop people from tracking your status and any changes you've made to profile photos, status messages and settings.

This bug, actually, isn't new. It was reported to WhatsApp as early as September 2014.

Now, Dutch student Maikel Zweerink has cooked up an app to illustrate WhatsApp's weaknesses.

Zweerink's web-based tool, WhatsSpy Public, tracks any WhatsApp user you choose to follow.

He says it's a proof of how "broken" WhatsApp privacy options are:

It just started out as experimenting with WhatsApp to build a bot, but I was stunned when I realized someone could abuse this "online" feature of WhatsApp to track anyone's online status. I could just say this in like a blog article (like I tried but got marked as spam) that the privacy options are broken, but you wouldn't realize the impact it actually has.

Would-be snoopers don't actually have to be WhatsApp users to exploit the bug.

All you have to do to retrieve the online status of any telephone number is to add it to contacts and open a chat window, without alerting the phone number owner or asking for his or her permission.

Zweerink explains that he released the tool on 7 February to visualize the following properties of any phone number that uses WhatsApp:

Online/Offline status (even with privacy options set to "Nobody")

Profile pictures (only when privacy is set to "Everyone", which is the default)

Status messages (only when privacy is set to "Everyone", which is the default)

Privacy settings

Users can edit who sees the options "last seen", "profile photo" and "status", setting the options to "Everyone", "My Contacts" or "Nobody".

You would think that setting all three options to "Nobody" would keep you pretty private, but it actually doesn't stop the following "online" message from showing up in WhatsApp:

WhatsSpy Public Bot

That "online" status message is actually a subscription service, Zweerink says, and it's not limited to one person; in fact, he says, a snooper could try to subscribe to any and all WhatsApp users, and "WhatsApp should just happily return this information."

(Though his tool couldn't handle the load, he notes.)

That's a lot of blown privacy, Zweerink says (all sic):

Some random person could just try to subscribe to all WhatsApp users and retrieve their online/offline status. Meanwhile, a lot of WhatsApp users (like myself) would thought my privacy was protected by these options! Imagine selling this information for marketing purposes, this just creeps me out. I dont want to retrieve a coupon on some drug that makes me sleep better, definitely not from any unknown party!

Of course privacy is already a heavily discussed topic at Facebook and WhatsApp, but now when a complete stranger can know when I wake up is going way too far if you ask me...

WhatsApp has been contacted about this issue by a long list of publications, but Zweerink says so far there hasn't been a peep about it from the company.

https://nakedsecurity.sophos.com/2015/02/17/whatsapp-spy-tool-lets-anyone-track-when-youre-online/

WhatsSpy Public : https://gitlab.maikel.pro/maikeldus/WhatsSpy-Public/wikis/home

[sirri]

interesting article. I already thrown since FB come. many alternative messaging app. currently, I am happy with Telegram

[silencer]

Yup - Telegram is a good choice, I am using it too.

[humble3d]

Can anyone please point to a windows desktop version or similar ?? Thanks in advance... :)