Privacy concerns have remained at the forefront of WhatsApp’s every move ever since its acquisition by Facebook. Various security reports have emerged in the last year or so exploiting one or the other WhatsApp functionality. Software engineer Rob Heaton has today published another such vulnerability on his blog that exposes how the messaging app’s last seen feature can be abused for building an automated stalking tool.
The workaround makes use of WhatsApp’s web client and a little script that logs a contact’s ‘last seen’ every few seconds. Once signed in, the four-line script can be executed to query and record the information without encountering any sort of firewalls whatsoever. Rob developed this merely to track his colleague’s sleeping patterns. He did so by evaluating the period between when his friend was offline and online during the night time. However, the tool can be easily deployed for keeping an eye on someone.
One of the scenarios Rob discusses is if you’d like to find whether your friends are dating or not. To achieve this, a simple cross-correlation software can be written ‘that shows a striking alignment between their WhatsApp usage patterns.’ The program churns out various graphs which depict the similarities between their online sessions which should give you an idea about their relation. Similarly, multiple computers can be put to use for feeding a service which could be potentially sold to health insurers and credit agencies, who are both very suspicious of people who are awake at 4 AM.
Of course, you can disable the ‘last seen’ from the settings. However, WhatsApp still shows you are online when talking to someone. The script can be, therefore, updated for adapting to this and continue functioning without any hassles whatsoever. Hence, there’s currently no way for avoiding this security hole. It’s certainly not a critical issue and since reports have been published before someone can misuse the vulnerability, I’m sure WhatsApp will be updating its architecture for blocking such access.
A similar flaw was discovered on Facebook’s Messenger service last year. Therefore, it’s safe to say an exhaustive script can be fabricated which accumulates data from a range of messaging platforms and dumps it in a common base. Both accuracy and granularity of the information can be, therefore, drastically improved if someone plans to turn this into a business.