WhatsApp exploit can reveal when users are messaging or sleeping

Back in July, WhatsApp announced that it had 1 billion daily active users, all of them protected from prying eyes thanks to its end-to-end encryption. That means that no one, not even WhatsApp, can break the code and read the content of messages sent by the messaging app's subscribers. However, a software engineer named Robert Heaton has come across a vulnerability that allows outsiders to figure out when two WhatsApp users are most likely to be messaging each other, and when they are asleep.

Using WhatsApp online status and last seen features can allow someone to analyze the figures and get a good idea of a user's sleeping patterns. The last seen settings allow everyone to have access to the data, restrict them to be seen by contacts only, or allow them to be hidden to everyone. By default, this information is available for anyone to see. The online status information cannot be hidden or restricted in any way.

Heaton revealed how this information can be used. First, he would build a Chrome extension allowing him to monitor when his contacts are online, using the WhatsApp web application. It takes just four lines of Javascript to do this. Taking that information and comparing it to the activity of another contact, Heaton could figure out if and when two of his contacts were communicating with each other. The same vulnerability can be exploited on Facebook.

Knowing the sleeping patterns of messaging app users is the kind of information that online advertisers would treasure, so this vulnerability could, in theory, help launch a money making venture for someone.


source: RobertHeaton via TNW