Skip to main content

WhatsApp vulnerability could allow someone to work out who is talking to who

Software engineer Rob Heaton has identified a vulnerability in WhatsApp that could allow a stalker to work out when two contacts are communicating via the service.

He managed to exploit it by writing a Chrome extension requiring just four lines of Javascript …

The issue is that your ‘online’ status can be queried by any of your contacts. If you go offline and then come back online to read and reply to a message, that fact can be logged. Correlating times when you come back online with times when other people do the same can allow patterns to be seen that effectively identify two people messaging each other.

You’re dying to know whether your friends Lara and Tara are secretly dating. You can’t help but write multi-variate cross-correlation software that shows a striking alignment between their WhatsApp usage patterns.

His blog post begins by using the vulnerability to see when an avid WhatsApp user is going to bed and waking again, in a delightfully whimsical scenario about spying on the sleep patterns of a friend supposedly in training for a charity walk. This is achieved using only the four-line Javascript code.

setInterval(function() {
  var lastSeen = $('.pane-header .chat-body .emojitext').last().text();
  console.log(Math.floor(Date.now() / 1000) + ", " + lastSeen);
}, 1000);

Correlating the online patterns of two or more people would require more code, but the principle is the same. And while WhatsApp allows you to hide your ‘last seen’ times, it doesn’t allow you to hide when you are and aren’t online – that is, actively using the service.

The same weakness was found last year in Facebook Messenger.

Via TNW


Check out 9to5Google on YouTube for more Google & Android news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel