A design flaw reportedly allows WhatsApp users’ online status and other information to be monitored, even with the strictest privacy settings
A Dutch developer has released software that demonstrates what he calls built-in flaws in the privacy features of WhatsApp, allowing users’ status and other information to be tracked by anyone – regardless of how strict their privacy settings are.
WhatsApp, owned by Facebook, is one of the most popular mobile messaging tools, with 700 million monthly active users sending more than 30 billion messages per day, the company said last month. It has, however, previously attracted criticism over its privacy features.
While in the process of developing another project, Maikel Zweerink said he was “stunned” to discover that WhatsApp allows a user’s status – indicating whether they are online or not – to be viewed by any other user, regardless of how strict the user’s privacy settings are.
The software he developed, WhatsSpy Public, allows the user’s status to be tracked, and also tracks changes to profile pictures, privacy settings or status messages for any user, even those with their privacy options set to the strictest option, “nobody”, according to Zweerink.
“I made this project for you to realise how broken the privacy options actually are,” Zweerink said in documents accompanying the software, which he has published online. “You may think now that you’ve set all options to ‘nobody’ you are privacy-wise safe. But nevertheless I can still track your moves on WhatsApp.”
He said that while privacy options do have some effectiveness, they provide less anonymity than users would expect, making them “illusions”.
“The privacy options in Whatsapp act like they give you full control over your status in Whatsapp meanwhile they only affect a very limited scope,” he wrote in a blog post. “The ability for an complete stranger to follow your in-app status is pretty creepy and might be abused already. This is not a ‘hack’ or an ‘exploit’, it’s broken by design.”
WhatsApp did not immediately respond to a request for comment.
WhatsSpy Public requires some technical knowledge to set up, as well as specialist equipment including a server. Once it is activated, it displays a timeline of the online status of a tracked user and can compare this to another tracked user, Zweerink said.
Last year, another researcher found that WhatsApp chat messages on Android devices could be accessed by other users due to poor system design.
Are you a security pro? Try our quiz!