A potential design flaw has been found in WhatsApp that will let anyone track a user's activity. While the contents of the messages can’t be read given that WhatsApp is end-to-end encrypted, the ‘online status’ feature can be used to monitor exactly when a user is online, according to a blog post written by a software engineer Robert Heaton. Your online status can help hackers figure out who you are talking to. It can also be exploited to spy on a user’s sleeping patterns – the time you go to bed and wake up.
Heaton, who has made similar security-related findings in the past, described it in his blog post just how easy it was to do this while relying on a laptop, Chrome extension and using WhatsApp web. He exploited the flaw by creating a Chrome extension with a minimal four lines of code, Digital Trends reported late on Tuesday. The code could even be tweaked to correlate more than two people messaging each other.
"What that means is that when you go offline and then come back online to read a message, that action is being logged.
Heaton though was relying on the ‘last seen’ option, which has privacy settings and gives users the option of blocking strangers. However, as the post points out, the default setting in the ‘last seen’ is often everyone and not many people bother changing this.
Unfortunately, there is nothing you can do to stop attackers from monitoring your activity. While the app has an option to show your last seen status to everyone, only your contacts, or no one, there is no way to disable the online status feature which reveals when you are actively using the service. This data can be easily collected on a mass level and then sold to third-party firms for advertising purposes.