WhatsSpy Public tool can spy on Whatsapp users

WhatsSpy Public is a web-based tool that could allow an attacker to access Whatsapp user information related to his activity.

WhatsSpy Public is a web-based tool created by Maikel Zweerink that can trace the moves of a WhatsApp user. WhatsSpy is able to display user information in a friendly dashboard that includes events being displayed in a timeline.

The tool also allows experts to compare timelines of two users in order to conduct cross analysis. Zweerink has released the WhatsSpy Public tool on GitLab as a proof-of-concept that WhatsApp privacy is broken, he highlighted the application doesn’t rely on a specific hack or exploit.

Maikel Zweerink explained that he has discovered that some of the events sent out by the messaging app could be intercepted by anyone. Among the data that could be eavesdropped, there is the current status (independently of privacy settings), change of profile pictures, message status and any modification of privacy settings.

By analyzing the WhatsSpy Public dashboard it is possible to discover the exact moment when users start to use WhatsApp and when they disconnect from the service.

“WhatsSpy Public is an web-oriented application that tracks every move of whoever you like to follow. This application is setup as an Proof of Concept that Whatsapp is broken in terms of privacy. Once you’ve setup this application you can track users that you want to follow on Whatsapp. Once it’s running it keeps track of the following activities:”explained Zweerink on the project page.

“I made this project for you to realise how broken the privacy options actually are. It just started out as experimenting with Whatsapp to build an Bot, but I was stunned when I realised someone could abuse this ‘online’ feature of Whatsapp to track anyone,”

On the project page are reported the instructions for the installation of the WhatsSpy Public tool in Raspberry Pi, Server and VPS. The requirements includes:

Secondary Whatsapp account (phonenumber that doesn’t use Whatsapp)
Rooted Android phone OR Jailbroken iPhone OR PHP knowledge
Server/RPi that runs 24/7
Nginx or Apache with PHP (you can’t host on simple webhoster, you need bash)
Postgresql

There is no peace for Whatsapp users, recently the researcher Indrajeet Bhuyan discovered two privacy issues in Whatsapp web application and in the last months the same experts has discovered a way to crash the mobile application by sending specially crafted messages.

Pierluigi Paganini

(Security Affairs – Whatsapp, WhatsSpy Public)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.