Software engineer Rob Heaton has identified a vulnerability in WhatsApp that could allow a stalker to work out when two contacts are communicating via the service.

He managed to exploit it by writing a Chrome extension requiring just four lines of Javascript …

NordVPN

The issue is that your ‘online’ status can be queried by any of your contacts. If you go offline and then come back online to read and reply to a message, that fact can be logged. Correlating times when you come back online with times when other people do the same can allow patterns to be seen that effectively identify two people messaging each other.

You’re dying to know whether your friends Lara and Tara are secretly dating. You can’t help but write multi-variate cross-correlation software that shows a striking alignment between their WhatsApp usage patterns.

His blog post begins by using the vulnerability to see when an avid WhatsApp user is going to bed and waking again, in a delightfully whimsical scenario about spying on the sleep patterns of a friend supposedly in training for a charity walk. This is achieved using only the four-line Javascript code.

setInterval(function() {
  var lastSeen = $('.pane-header .chat-body .emojitext').last().text();
  console.log(Math.floor(Date.now() / 1000) + ", " + lastSeen);
}, 1000);

Correlating the online patterns of two or more people would require more code, but the principle is the same. And while WhatsApp allows you to hide your ‘last seen’ times, it doesn’t allow you to hide when you are and aren’t online – that is, actively using the service.

The same weakness was found last year in Facebook Messenger.

Via TNW


Check out 9to5Mac on YouTube for more Apple news:

About the Author

Ben Lovejoy's favorite gear