Proof-of-concept tool records actions that should be private

Feb 9, 2015 08:14 GMT  ·  By

Certain information related to WhatsApp activity can be tracked by a third party with the help of a recently released tool, even if privacy options have been enabled.

Called WhatsSpy Public, the web-based utility can trace the moves of a WhatsApp user and show them in a dashboard with events being displayed in a timeline. Moreover, activities of one user can be compared to those of another for a more comfortable experience.

Privacy options are not comprehensive

The tool has been created by Maikel Zweerink, who started working on it as a hobby. He found that some of the events sent out by the messaging app could be intercepted by anyone, and the list includes the current status (online/offline, despite setting privacy options to “nobody”) of a user, change of profile pictures, modification of privacy settings and of status messages.

The data collected in the dashboard offers good insight into the time frame a user is available on WhatsApp, with logs showing the exact moment when they start to use the service and when they disconnect from it.

Turning on the privacy settings for the status messages and the profile picture is also recorded by WhatsSpy Public.

Zweerink says he released the tool on GitLab as a proof-of-concept that demonstrates how broken WhatsApp is in terms of privacy.

“I made this project for you to realise how broken the privacy options actually are. It just started out as experimenting with Whatsapp to build an Bot, but I was stunned when I realised someone could abuse this 'online' feature of Whatsapp to track anyone,” the developer says on the project page.

Instructions for installing the tool are provided

He added that there was no hack or exploit leveraged, and that the privacy in the messaging app was broken by design.

The developer also provides complete instructions for installing WhatsSpy Public. On the list of requirements are a secondary WhatsApp account, a rooted/jailbroken mobile phone or PHP knowledge, a server that can run 24/7 (Raspberry Pi is recommended as a cheap alternative), Nginx or Apache with PHP and PostgreSQL.

Privacy issues have been circling WhatsApp for a long time. Recently, 17-year-old researcher Indrajeet Bhuyan discovered that images that were shared from the mobile device and then deleted were still visible in the online version of the service.

Bhuyan also found that a profile picture set to be available only to contacts can be accessed by individuals outside this list.