WhatsApp vulnerability could allow someone to work out who is talking to who

Software engineer Rob Heaton has identified a vulnerability in WhatsApp that could allow a stalker to work out when two contacts are communicating via the service.

He managed to exploit it by writing a Chrome extension requiring just four lines of Javascript …

Author Ad Placeholder
Will only appear on redesign env.

The issue is that your ‘online’ status can be queried by any of your contacts. If you go offline and then come back online to read and reply to a message, that fact can be logged. Correlating times when you come back online with times when other people do the same can allow patterns to be seen that effectively identify two people messaging each other.

You’re dying to know whether your friends Lara and Tara are secretly dating. You can’t help but write multi-variate cross-correlation software that shows a striking alignment between their WhatsApp usage patterns.

His blog post begins by using the vulnerability to see when an avid WhatsApp user is going to bed and waking again, in a delightfully whimsical scenario about spying on the sleep patterns of a friend supposedly in training for a charity walk. This is achieved using only the four-line Javascript code.

setInterval(function() {
  var lastSeen = $('.pane-header .chat-body .emojitext').last().text();
  console.log(Math.floor(Date.now() / 1000) + ", " + lastSeen);
}, 1000);

Correlating the online patterns of two or more people would require more code, but the principle is the same. And while WhatsApp allows you to hide your ‘last seen’ times, it doesn’t allow you to hide when you are and aren’t online – that is, actively using the service.

The same weakness was found last year in Facebook Messenger.


Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear