According to a Dutch developer, the privacy settings in WhatsApp are broken. By adding the phone number of an user to his open source tool is able to track any change of profile picture, privacy settings or statuses from any user.
WhatsSpy is an open source tool that allows around the clock monitoring of any WhatsApp user. The software has to be installed on a server and includes a web interface that continuously tracks the targeted user. The developer of the tool states he has created the software to demonstrate how broken the privacy settings in WhatsApp are.
He explains, "you may disable 'last seen', 'profile picture' and 'status' but this won't disable this 'online' message from showing up. Obviously a lot of people won't know this still happens, thus creating an pretty broken privacy settings [sic]. Due to this feature WhatsSpy can track virtually anyone, because anyone can listen for these events."
In December last year, researchers at the University of Erlangen-Nuremberg already demonstrated how easy it is to monitor thousands of WhatsApp users. The researchers presented the anonymized data from their experiments and explained what WhatsApp should do to truly protect the privacy of users. Unfortunately it seems WhatsApp hasn't made any changes and everyone can still see if any WhatsApp user is online, just by knowing the phone number.
While the method of the researchers required a complex experimental setup with multiple smartphones, WhatsSpy makes it much easier. The software can be installed on a cheap device like the Raspberry Pi and requires only little technical knowledge. Besides a server, WhatsSpy requires a rooted Android smartphone or a Jailbroken Iphone and a secondary WhatsApp account (a phone number not actively used by WhatsApp).
The second WhatsApp account/number is required to avoid the risk of being banned from WhatsApp, although according to the researchers at the University of Erlangen-Nuremberg, this danger is not too big. They monitored hundreds of users for months, without ever having been blocked.
