Security

This article is more than 1 year old

WhatDaHell, WhatsApp? Student claims 'stalker' tool shows security flaws

Releases proof-of-concept app to 'highlight concerns'

Mon 16 Feb 2015 // 13:03 UTC

A newly discovered security flaw in WhatsApp allows anyone to track a user’s status, regardless of their privacy settings, a student claims.

The same bug also lifts the kimono on profile picture and privacy settings - in default settings only - and status messages regardless of privacy settings.

Maikel Zweerink, a Dutch University student, has published a tool called WhatsSpy Public to illustrate the risk.

Zweerink told El Reg: "You cannot track all properties if someone has set all privacy options to nobody (in this case you can't track profile photos and status messages) BUT you can keep tracking the online/offline status which is the main problem here!"

He also claimed the problem had been discovered months before by some German researchers but that WhatsApp had done "nothing about it".

Using WhatsSpy Public dumbs down the process of “stalking” a target through their use of the mobile messaging app, he says. The proof-of-concept tool is intended to push WhatsApp into action rather than making life easier for would-be spies and stalkers, Zweerink says.

It should be noted that would-be snoopers wouldn’t need to be WhatsApp users themselves.

Explaining his decision to release such a tool, Zweerink said: “WhatsSpy Public (not to be confused with WhatsSpy) is an web-oriented application that tracks every move of whoever you like to follow. This application [has been] setup as a proof of concept that WhatsApp is broken in terms of privacy.

“I could just say this in a blog article – that the privacy options are broken – but you wouldn’t realise the impact it actually has,” he added.

WhatsApp is no stranger to the occasional privacy controversy. For example, one recently discovered bug allowed world+dog to see a user’s profile photos even if they had set it to ‘Contacts Only’.

Teenage security researcher Indrajeet Bhuyan also discovered related syncing problems with WhatsApp’s recently introduced web interface.

El Reg has contacted WhatsApp for comment but has yet to hear back. We'll update if we hear more. ®

Topics

Special Features

Vendor Voice

Resources

Security

WhatDaHell, WhatsApp? Student claims 'stalker' tool shows security flaws

Releases proof-of-concept app to 'highlight concerns'

More about

More about

Narrower topics

More about

More about

More about

Narrower topics

TIP US OFF

Other stories you might like

US legislators propose American Privacy Rights Act - and it looks quite good

Academics probe Apple's privacy settings and get lost and confused

Google will delete data collected from 'private' browsing

A different view from the edge

Reform of USA's Section 702 spying rule may make it to a vote this week

Ex-White House CIO tells The Reg: TikTok ban may be diplomatic disaster

Head of Israeli cyber spy unit exposed ... by his own privacy mistake

Lawsuit claims Meta hobbled Facebook Watch to help Netflix

AT&T admits massive 70M+ mid-March customer data dump is real though old

Majority of Americans now use ad blockers

Meta accused of snarfing people's Snapchat data via traffic decryption

Uncle Sam wants to know how big airlines use passenger data

About Us

Our Websites

Your Privacy