Full Report
WhatsApp's privacy settings are "broken" and can be bypassed by downloading a simple bit of software, claims the Dutch developer behind proof-of-concept tool WhatsSpy Public.
Analysis Summary
# Vulnerability: Ineffective WhatsApp Privacy Settings Revealing User Status
## CVE Details
- CVE ID: Not specified in the article. This appears to be a design flaw/configuration issue rather than a traditional software vulnerability requiring a CVE.
- CVSS Score: Not scored.
- CWE: Not specified. This falls under "Broken Access Control" or "Improper Restriction of Shared User Status" conceptually.
## Affected Systems
- Products: WhatsApp messaging service.
- Versions: Not specified, but applies to versions prior to the implementation of design fixes for this issue.
- Configurations: Any user who has configured their privacy settings to hide "Last Seen," profile picture, or status messages.
## Vulnerability Description
The report highlights that WhatsApp's privacy settings (specifically for "Last Seen," profile picture, and status messages) are "broken by design" and ineffective at protecting user information. A third-party proof-of-concept tool, WhatsSpy Public, exploits this design flaw. By knowing only a user's phone number, an attacker (or any stranger) can bypass these privacy settings to monitor:
1. The user's current profile picture.
2. The user's current status message.
3. The user's online/offline status timeline (when they are using the app).
The developer states this is not a traditional "hack" or "exploit" but a failure in the intended scope of the privacy settings.
## Exploitation
- Status: Proof-of-Concept (PoC) available via WhatsSpy Public tool.
- Complexity: Low (requires only the target's phone number).
- Attack Vector: Network (via the application's reliance on publicly accessible status updates inferred through phone number queries).
## Impact
- Confidentiality: **Medium** (Metadata concerning usage, presence, and profile image is exposed).
- Integrity: **Low** (No modification of data).
- Availability: **None** (Service remains available).
## Remediation
### Patches
- The article suggests the issue stems from design, implying a patch or update from WhatsApp is necessary, but no specific patches or version numbers are listed in this 2015 article. (Users should update to the latest version of WhatsApp).
### Workarounds
- No explicit workarounds are provided, other than noting that the privacy controls are intended to limit scope but fail to do so effectively.
## Detection
- **Indicators of Compromise:** Increased or unexpected requests to the WhatsApp backend related to querying status metadata from unknown sources.
- **Detection methods and tools:** The vulnerability is detected by using the WhatsSpy Public tool or similar methods that query status data despite privacy settings.
## References
- Vendor advisories: None provided in the text.
- Relevant links - defanged:
- ESET article: hxxps://www.welivesecurity.com/en/privacy/whatsapp-privacy-broken-reveals-proof-of-concept-hack/
- EFF Scorecard mention: hxxps://www.eff.org/secure-messaging-scorecard (Note: The article states WhatsApp was rated 2 out of 7 at the time).