Creating a database of phone numbers, profile pictures and status information of almost all users of WhatsApp turns out to be very easy . The user doesn’t even have to be added to your contacts. This should raise at least some privacy concerns and hopefully a lot more. Let me explain how it works.
Are you tech savvy? You can download here a Chrome extension to use my script for yourself.
A few years ago WhatsApp made it possible to use WhatsApp in your web browser. That is good for user experience because composing a message on your keyboard is a lot easier than using those tiny touch screen buttons. It also makes copying/pasting and adding attachments easier. So much for the good news. The bad news is that it’s technically possible to use the WhatsApp Web interface to create a huge database of all possible WhatsApp users. There’s only a small group of users not affected: the users who have changed their privacy settings. Unfortunately, most users don’t change those privacy settings and WhatsApp doesn’t encourage it very much. These facts open up the possibility of collecting huge amounts of interesting data which i’m going to show you now.
Explanation for normal users
Web WhatsApp connects to the WhatsApp servers by using your phone. In a nutshell the browser instructs the server to send back all the information for a certain phone number. Some of the information that’s being sent back include the following:
- The profile picture
- The status text or about text, the default texts is the famous ‘Hey there! I am using WhatsApp’
- The online/offline status of the user
It turns out that the above information can be requested for every phone number. As said, it’s not necessary that the phone number has been added to your contact list. And because there is no such restriction, it’s possible to create a complete database of phone numbers, profile pictures, about texts and online/offline statuses. The database may be setup in such a way that complete timelines of phone numbers can be reconstructed. That answers questions like: when was the user with phone number xxx-xxxxxx online and offline?
So, what can anyone do with al this information? First of all, again, imagine that anyone can create a database with the above information that contains all phone numbers for a certain country together with the profile pictures, about texts and online/offline statuses. This is in reach for a country like the Netherlands. The database can be queried in such a way that it tells me when a phone number was online and it tells me what profile picture belongs to the phone number. After a few months it can tell me how often you have changed your profile picture and into what pictures. And how about facial recognition? Those techniques haven been improved over the last years. Imagine this, I take a walk and take a picture of some stranger. Now I feed the database that picture and in a few minutes it tells me which phone number belongs to the picture. Now that is quite scary, isn’t it?
I’m a fan of responsible disclosure. So when i found out this possibility of collecting huge amounts of data in WhatsApp, I contacted them. Or, I contacted Facebook because they own WhatsApp. Summarized, they are aware of the possibility of this amount of data collection but they don’t see it as a problem or a privacy concern for that matter. Take a moment to think about it before you might agree…
The following is a technical explanation that may be a bit difficult to follow for non-technical users.
There are three API calls that I use in my script. The first one is Store.ProfilePicThumb.find(<phone number>) and it’s used to collect profile pictures. You can use it as follows:
The second API call is Store.Wap.statusFind( <phone number>) and it’s used to request the about text of a phone number. An example:
The last API call is Store.Presence.find( <phone number>) and it’s used to request the online/offline status. Use it as follows:
By putting all these API calls in a loop, you can request this information for every phone number you can think of.
At the beginning of this article you see an UI that I’ve created. It uses the above API calls. You can find that script here. Drop the script in the developer console in your Web WhatsApp instance and the UI pops up. Please, use it wisely!
Update 15-05-2017 04:20 PM
Some people made some remarks about this finding. I’d like to respond to those remarks as follows:
Remark 1: ‘I don’t see how this is such news, i can simply add any number and have the same information’
Yes, you can do that and you would have the same information. But the difference is that I use an automated way to collect that information. Are you able to select 100 numbers, add them to your contacts and have that information in a nice table using your phone? It’s the scale of the collection and it’s not about revealing secret information. It’s not a security related issue.
Remark 2: ‘This information isn’t secret or private. How is this news?’
Haha, yes I get that. But think about this: I can create a huge database containing profile pictures connected to a phone number. That way I can use facial recognition to find out what someone’s phone number is just by taking a picture of them. Again, as with remark 1: it’s all about the potential scale of doing this that makes it an issue.
Remark 3: ‘I already discovered this years ago, how is this news?’
I don’t know? Probably didn’t it get the attention that it deserved at the time. Now it gets the attention, be happy with it because a lot of people have changed their privacy settings in WhatsApp because of this blog/script. 🙂
Update 16-05-2017 02:00 PM
Update 16-05-2017 21:45 PM
I’ve created a very simple Chrome extension that brings up the UI.