WhatsApp’s Privacy Settings are Broken - BestCyberNews: Online News Presenter in the present world

BestCyberNews: Online News Presenter in the present world

Start knowing

test banner


WhatsApp’s Privacy Settings are Broken

WhatsSpy Public is a proof-of-concept web-based tool that allows an attacker to track every move of any WhatsApp user, even if the user has locked down their WhatsApp privacy settings.
This Tool is created by Maikel Zweerink, could allow an attacker to access a WhatsApp user's profile picture, privacy settings, status messages and online or offline status. 

Even if the user has set the WhatsApp privacy options to "nobody," which in theory is supposed to mean "your last seen, profile photo and/or status will not be available to anyone."

The WhatsSpy Dashboard can also display a timeline that shows when users have been online and how long they spent using the app.
WhatsSpy Public is an web-oriented application that tracks every move of whoever you like to follow. This application is setup as an Proof of Concept that Whatsapp is broken in terms of privacy.

It tracks the following properties of any Whatsapp user:

  • Online/Offline status (even with privacy options set to nobody)
  • Profile pictures
  • Privacy settings
  • Status messages

It tracks any change of profile pictures, privacy settings or statusses. This tool proviced an simple GUI to view an timeline of an user or even compare it to an other tracked user.

This project has become opensource on Gitlab. You can run WhatsSpy yourself but you need an server running 24/7 and knowledge about setting up IT projects.

You may disable "last seen", "profile picture" and "status" but this won't disable this "online" message from showing up. Obviously a lot of people won't know this still happens, thus creating an pretty broken privacy settings. Due to this feature WhatsSpy Public can track virtually anyone, because anyone can listen for these events.

The privacy options in Whatsapp act like they give you full control over your status in Whatsapp meanwhile they only affect a very limited scope. Sure, the lastseen, profile picture and status options do work, but probably not as the user intented it to. 

The ability for an complete stranger to follow your in-app status is pretty creepy and might be abused already. This is not an "hack" or "exploit" but it's broken by design.

Do you want an real life Proof of Concept? Contact at maikeldus@hotmail.com for an frightning "he can see whenever you're online" session.

Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter