WhatsApp vulnerability could allow someone to work out who is talking to who

Software engineer Rob Heaton has identified a vulnerability in WhatsApp that could allow a stalker to work out when two contacts are communicating via the service.

He managed to exploit it by writing a Chrome extension requiring just four lines of Javascript …

The issue is that your ‘online’ status can be queried by any of your contacts. If you go offline and then come back online to read and reply to a message, that fact can be logged. Correlating times when you come back online with times when other people do the same can allow patterns to be seen that effectively identify two people messaging each other.

You’re dying to know whether your friends Lara and Tara are secretly dating. You can’t help but write multi-variate cross-correlation software that shows a striking alignment between their WhatsApp usage patterns.

His blog post begins by using the vulnerability to see when an avid WhatsApp user is going to bed and waking again, in a delightfully whimsical scenario about spying on the sleep patterns of a friend supposedly in training for a charity walk. This is achieved using only the four-line Javascript code.

setInterval(function() {
  var lastSeen = $('.pane-header .chat-body .emojitext').last().text();
  console.log(Math.floor(Date.now() / 1000) + ", " + lastSeen);
}, 1000);

Correlating the online patterns of two or more people would require more code, but the principle is the same. And while WhatsApp allows you to hide your ‘last seen’ times, it doesn’t allow you to hide when you are and aren’t online – that is, actively using the service.

The same weakness was found last year in Facebook Messenger.


You can follow iPhoneFirmware.com on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Apple and the Web.