A WhatsApp vulnerability could allow someone to find out who is talking to whom, according to software engineer Rob Heaton.
“You’re dying to know whether your friends Lara and Tara are secretly dating,” Heaton writes in his blog post. “You can’t help but write multi-variate cross-correlation software that shows a striking alignment between their WhatsApp usage patterns.”
He started off his blog post by creating a scenario in which a friend was trying to find out the sleeping pattern of a contact, called Steve. The stalker was trying to find out if Steve was actually getting 8.5 hours of sleep to prepare for a charity walk.
“The plan is simple. Every 10 seconds, you check your target’s WhatsApp status, and note if they are online or not,” Heaton wrote.
The stalker wrote down Steve’s “last seen” times on Whatsapp and the times he went back on the app. The stalker then correlated the data and found Steve was actually less sleep than what was ordered.
The flaw allows anyone to see when someone was last available on Whatsapp — and find out who they were talking to — even if the user being stalked has hid their last seen status from others on the app.
Heaton managed to go through the WhatsApp flaw by writing a short Chrome extension.
WhatsApp flaw can help creepy stalkers.
“You set your Chrome extension running and hide the laptop under your bed,” he said in the blog post . “You come back a week later and see what Steve Steveington has been up to. You copy and paste the output from the developer console and draw a couple of graphs.”
The stalker’s graph would look something like this:
A WhatsApp flaw can allow a stalker to see when a person has been asleep or who the user is talking to.
Correlating the patterns of two or more person requires a longer code, but the same technique would be applied.
The same issue was found last year in Facebook Messenger, since the app also tells others when a user has been online, offline or idle. The flaw on Messenger also allows stalkers to graph when their friends are awake or asleep.
“Monitoring Steve Steveington on WhatsApp presents a different set of challenges to monitoring him on Facebook,” Heaton wrote on Monday. “Facebook sends data to your browser using straightforward HTTP requests that you can easily write a program to mimic. However, WhatsApp communicates with your browser using a much more complex Web Sockets-based protocol.”