The smartphone stand alone instant messaging App, WhatsApp is once again in the news due to a certain tool which can break its security features. WhatsSpy Public tool which was recently released can give you status updates of any WhatsApp user, even if privacy options have been enabled. WhatsSpy Public uses the web-based utility to trace the moments of a WhatsApp user and shows them in a dashboard with events being displayed in a timeline. The tool can be used to compare activities from one user to those of another for a more comfortable experience.
WhatsSpy Public has been created by Maikel Zweerink, who started working on it as a hobby. While working on it he found that some of the events sent out by the messaging app could be intercepted by anyone, and the list includes the current status (online/offline, despite setting privacy options to “nobody”) of a user, change of profile pictures, modification of privacy settings and of status messages. Also the data collected in the dashboard offers good insight into the time frame a user is available on WhatsApp, with logs showing the exact moment when the user starts to use the service and when he/she disconnects from it. WhatsSpy Public can record the profile picture and privacy settings for the status messages when turning it on. Zweerink says he released the tool on GitLab as a proof-of-concept to demonstrate the weakness in WhatsApp in terms of privacy. Zweerink said that “his only motive behind this project was to realise how broken the privacy options actually are. It just started out as experimenting with WhatsApp to build a Bot, but I was stunned when I realised someone could abuse this ‘online’ feature of WhatsApp to track anyone.” He further added that the privacy in the messaging app was broken by design and there was no hack or exploit leveraged. The developer has provided complete instructions for installing WhatsSpy Public. For this you had to have a secondary WhatsApp account, a rooted/jailbroken mobile phone or PHP knowledge, a server that can run 24/7 (Raspberry Pi is recommended as a cheap alternative), Nginx or Apache with PHP and PostgreSQL. Recently, 17-year-old Indrajeet Bhuyan, 17-year-old boy discovered that images that were shared from the mobile device and then deleted were still visible in the online version of the service. Bhuyan also found that a profile picture set to be available only to contacts can be accessed by individuals outside this contact list. Privacy issues have been circling around WhatsApp for a long time now. If the privacy features of WhatsApp are not improved by Facebook, WhatsApp may face a SnapChat like leak in the near future.