A flaw in WhatsApp's Online status is aiding stalkers

PostedAt: Fri, Apr 16, 2021 5:54 PM

WhatsApp has been found to have a flaw that could allow third parties to stalk users, security researchers say. The issue comes through the online status feature of the instant messaging app that is available by default. A list of Android and iPhone apps, as well as some Web services, are available that exploit the online status feature to let third parties track individuals — without gaining their consent. Cyber-stalkers may use such tracking solutions to keep an eye on WhatsApp users.

A WhatsApp user's online status is accessible by anyone and can be tracked using services built to monitor it.
br> Data breaches and Facebook-owned apps go hand in hand. Adding to the long list is the WhatsApp Status flaw that makes it easy for cyberstalkers to track women on the app. A new report from Traced, a mobile security app, shows that stalkers use WhatsApp Online Status websites to extract personal information about women.

The report further explains that stalkers typically try to gather as much information as possible about their target. This information includes the people that person is talking to; who they are emailing; their whereabouts; people they are meeting; what sites they are visiting online, and much more. Having such personal details about a person is unethical and also very dangerous.

When a person is online on WhatsApp, their status can be seen as "online" regardless of whether their number is saved on your phone or not. While it sounds like a pretty normal feature, WhatsApp status trackers track users even when they aren't online.

WhatsApp is the most popular messaging app in the world with over two billion active users daily. An oversight with the platform's online status system has, in turn, led to creation of services that track the indicator and tell you whether a person is online or not.

This works because the information is public and can be viewed by anyone. When you open WhatsApp, you are considered 'Online' and this is shown to everyone, even outside of your contact list.

To curb cyberstalking, Google has banned stalkerware on the Google Play Store; however, numerous apps get around this ban by claiming to be a tool for parents to track their child's browsing history, location, and other online activities. But, as of now, there is no way to stop someone from using this app for their nefarious intentions.

Though installing software on a phone without the owner's consent is illegal, it's difficult to force the law on an app that presents itself as a family tracker, eliminating the need to notify the user about the data transmission.

You can even enter a second phone number and compare the times the two were 'Online' to figure out if they were messaging each other.

A Reddit user going by the handle 'lollygagme' tried this out and watched her partner's activity for a week. She found that she was able to pick up on "patterns where he’s actually having an in-depth back and forth conversation with someone versus him checking in over and over to see if she’s replied back yet."

The Traced report also highlights one particular trick that cyberstalkers use to monitor their target without having to access their phones. This tactic is completely legal and is mostly a web-based service that doesn't reveal its stalkerware policies.

So how do these online WhatsApp status trackers work? Traced CTO, Matt Boddy himself tried them out. He found that when a user comes online on WhatsApp, an indicator changes, showing their status as "online." This indicator can be used by anybody to create a service that tracks this online status indicator.

Some trackers take this constant monitoring a notch higher. Cyberstalkers enter a second phone number to cross-reference the times each person used WhatsApp to see if they were communicating with each other.

What's more concerning is the fact that WhatsApp has no control over such apps and websites that track users. Besides, there's no way users can themselves find out if they are being tracked. Though you can hide your "Last Seen" on the app, there's no way to stop showing "Online" status.

There aren't many ways to protect against this kind of stalking, but changing phone numbers could work. However, this would be an extremely inconvenient step. Another alternative could be switching to a more secure app such as Signal which is a privacy-focused app. This isn't the case with the Web-based online trackers as some of them are promoted clearly as the solution to track individual's WhatsApp accounts.

It is important to note that online trackers can only be used to see when someone uses WhatsApp. This means that the tracking solutions, fortunately, do not allow an individual to look at their messages or online activity. Third parties also need users' WhatsApp associated phone numbers to track their online status.

Having said that, the way WhatsApp has designed its online status feature appears to be the prime cause to allow this form of cyber-stalking through third-party solutions.

Copied to clipboard
More From Zatayat