Privacy settings on the popular messaging client WhatsApp can be easily bypassed with a simple piece of software, a Dutch developer revealed this week. Maikel Zweerink has released a software kit that allows anyone to see whether WhatsApp users are online, even if they have their status and status messages set to “private.”
The developer says he released the WhatsApp hack, which he calls WhatsSpy Public, as a “proof of concept.” The app is meant to prove that WhatsApp is “broken… in terms of privacy,” Zweerink said in a blog post, claiming the hack is only meant as an illustration of the problem.
More than a concept, however, the WhatsApp spying software is fully functional, and allows anyone with a phone number not tied to a WhatsApp account to spy on users of the Facebook-owned messaging app — including those who think they’re protected with strict privacy settings. With WhatsSpy Public, any dubious person can read the status, profile picture or away message of users, even without an account. The WhatsApp status — which lets other users know whether they are online or off — is protected for users who ask to hide it, but the software can bypass privacy settings and show whether users are online or not.
“This is not a ‘hack’ or ‘exploit,’” Zweerink said in his post, but rather proof that WhatsApp’s security is “broken by design.”
The find has gained the developer notoriety with the Ycombinator “Hacker News” community. It requires would-be hackers to use specific devices, like a jailbroken iPhone or a rooted Android — a special control Apple and Google attempt to prevent most users from having over their devices. It also requires a phone number not registered with WhatsApp, or an unused SIM card.
WhatsApp did not respond to a request for comment. The Electronic Frontier Foundation, which tracks how well messaging apps secure their users’ privacy, has previously scored WhatsApp five out of a possible seven.