Undocumented API allows collecting huge amounts of privacy sensitive data of all WhatsApp users

Posted 09 May 2017 18:26 CEST by Jan Willem Aldershoff

Through an undocumented API of WhatsApp it’s possible to collect phone numbers, status updates and profile pictures of nearly all WhatsApp users. The issue was discovered by security researcher Loran Kloeze, who describes how a database can created with all kinds of data about WhatsApp users.

(Proof of concept script in action – credits Loran Kroeze)


Getting information is done by sending (random) phone numbers through the WhatsApp Web interface, which, if a phone number exists, replies with the profile picture, status update and online/offline status. There is no restriction on the amount of times you can send phone numbers, neither it’s required that the number is in your own contact list.

Besides creating a database with information about nearly all WhatsApp users, it also makes it possible to track an user and see when that user was online and offline.

(Tracking when an user is online and offline – credits Loran Kroeze)

To demonstrate what is possible, Kloeze has written a proof of concept which allows tracking up to 500 persons. The collected information is also refreshed every 10 seconds. In theory this can be done with every imaginable phone number in the world.

Kloeze writes about the potential uses, “the database can be queried in such a way that it tells me when a phone number was online and it tells me what profile picture belongs to the phone number. After a few months it can tell me how often you have changed your profile picture and into what pictures. And how about facial recognition? Those techniques have been improved over the last years. Imagine this, I take a walk and take a picture of some stranger. Now I feed the database that picture and in a few minutes it tells me which phone number belongs to the picture. Now that is quite scary, isn’t it?”

Not all WhatsApp users are affected, and it’s also possible to make sure you are not vulnerable. It’s possible to change the privacy settings in WhatsApp in such a way that not just everyone can collect your last seen, profile picture and and status. From users who already did, this method is unable to collect data.


Kloeze has shared his finding with Facebook, who stated to be aware of the possibility but don’t see it as a problem, as users can prevent that their data is collected by changing their privacy settings.

Myce.com settings

Several settings at Myce.com can be changed, they are stored in cookies, which means they will be reset if you clear Myce.com cookies


Change the background to a plain color or trianglified image (similar to the default image)

No tracking features

At Myce most social media feature are done server side and impose no privacy risk to the visitor when not used. Several features use Javascript with you can turn off here


Switch to the List layout for an index with chronologycally listed news items or Grid layout for a block based layout. To see the change you need to reload the page