Through an undocumented API of WhatsApp it’s possible to collect phone numbers, status updates and profile pictures of nearly all WhatsApp users. The issue was discovered by security researcher Loran Kloeze, who describes how a database can created with all kinds of data about WhatsApp users.
Getting information is done by sending (random) phone numbers through the WhatsApp Web interface, which, if a phone number exists, replies with the profile picture, status update and online/offline status. There is no restriction on the amount of times you can send phone numbers, neither it’s required that the number is in your own contact list.
Besides creating a database with information about nearly all WhatsApp users, it also makes it possible to track an user and see when that user was online and offline.
To demonstrate what is possible, Kloeze has written a proof of concept which allows tracking up to 500 persons. The collected information is also refreshed every 10 seconds. In theory this can be done with every imaginable phone number in the world.
Kloeze writes about the potential uses, “the database can be queried in such a way that it tells me when a phone number was online and it tells me what profile picture belongs to the phone number. After a few months it can tell me how often you have changed your profile picture and into what pictures. And how about facial recognition? Those techniques have been improved over the last years. Imagine this, I take a walk and take a picture of some stranger. Now I feed the database that picture and in a few minutes it tells me which phone number belongs to the picture. Now that is quite scary, isn’t it?”
Not all WhatsApp users are affected, and it’s also possible to make sure you are not vulnerable. It’s possible to change the privacy settings in WhatsApp in such a way that not just everyone can collect your last seen, profile picture and and status. From users who already did, this method is unable to collect data.
Kloeze has shared his finding with Facebook, who stated to be aware of the possibility but don’t see it as a problem, as users can prevent that their data is collected by changing their privacy settings.