WhatsApp has been found to have a flaw that could allow third parties to stalk users, security researchers say. The issue comes through the online status feature of the instant messaging app that is available by default. A list of Android and iPhone apps as well as some Web services are available that exploit the online status feature to let third parties track individuals — without gaining their consent. Cyber-stalkers may use such tracking solutions to keep an eye on WhatsApp users.
Cybersecurity firm Traced has discovered apps and services that could be used by cyber-stalkers to track when a user becomes active on WhatsApp. “You can enter any mobile phone number, and if that person uses WhatsApp, the status tracker will provide the exact date and time that person opened WhatsApp,” the company explained in a blog post.
WhatsApp has provided the online status feature to let people know when you’re online. However, unlike features such as Last Seen and Status messages, you don’t have the option to disable or change your online status. This is what could be exploited by third parties.
Traced found that many WhatsApp online status trackers market themselves as a solution to help people know when their contacts come online on the app. However, they could simply be used by cyber-stalkers to constantly monitor others.
Some WhatsApp online status trackers are also found to allow users to enter the phone numbers of two individuals. This helps to presume whether both users are chatting with each other on the app at a particular time.
Google doesn’t allow cyberstalking apps to be published on its Play store. However, WhatsApp online tracking apps on Google Play pretend as solutions to let parents and spouses know when their loved ones are online on WhatsApp.
This isn’t the case with the Web-based online trackers as some of them are promoted clearly as the solution to track individual’s WhatsApp accounts.
It is important to note that online trackers can only be used to see when someone uses WhatsApp. This means that the tracking solutions fortunately do not allow an individual to look at their messages or online activity. Third parties also need users’ WhatsApp associated phone numbers to track their online status.
Having said that, the way WhatsApp has designed its online status feature appears to be the prime cause to allow this form of cyber-stalking through third-party solutions. When contacted, a WhatsApp spokesperson gave this statement to Gadgets 360:
“We provide a setting to allow people to choose who can view the time a user was ‘last seen’ within WhatsApp. To help prevent abuse, we regularly work with app stores to seek the removal of apps that attempt to violate our terms of service. We have banned the WhatsApp accounts associated with such websites, requested Google remove such apps from the Play Store, and also take legal action, as appropriate. Automating WhatsApp’s features to scrape information is a violation of our terms of service and we will continue to take action to protect the privacy of our users and help prevent abuse.” – WhatsApp spokesperson
Earlier this week, a WhatsApp vulnerability was discovered that allows attackers to suspend individual accounts remotely by entering their registered phone numbers. The Facebook-owned app is also of late being criticised and questioned for its privacy policy update that will allow sharing of some data with businesses.
Does WhatsApp’s new privacy policy spell the end for your privacy? We discussed this on Orbital, the Gadgets 360 podcast. Orbital is available on Apple Podcasts, Google Podcasts, Spotify, and wherever you get your podcasts.