New WhatsApp vulnerability: whose list are you on?

If you’re using WhatsApp, you’ll be on a list somewhere. But not just the lists of friends, family, and work colleagues that you’d expect. Turns out that it is very easy to build a super list using WhatsApp in a web browser.

APIs are available on the web that enable developers, or anyone else for that matter, to request information about any number registered in WhatsApp, it doesn’t need to be in your address book. Information that is freely available includes your profile picture, your about text and your online/offline status.

>See also: An insecure platform: WhatsApp can read user’s ‘secure’ messages

Using this method it is possible to build a database of almost limitless size and construct timelines showing your activity. Full technical details are available here.

Such a database opens up a lot of nefarious possibilities. As the database builds it becomes possible to run queries such as; When was this phone number online? When profile pictures are brought into the equation, with facial recognition technology (which most people use on Facebook), it becomes possible to take a photo of someone and then query the database to find out who they are and their phone number.

>See also: Severe vulnerability discovered in WhatsApp

Apart from being downright creepy, in certain oppressive regimes this could be extremely dangerous. For those that travel to exotic locations for business, these possibilities are certainly worth keeping in mind.

There are some steps that savvy users can take to guard against this type of abuse of their data. Casual WhatsApp users should check their privacy settings.

>See also: WhatsApp open for business

Remember WhatsApp is just an example that has featured in the news of late – almost any other social media app is likely to have similar vulnerabilities and issues with privacy, including where and how your data is stored.

For any sensitive, official or corporate communications social media apps such as WhatsApp should be used vigilantly. Better to use an app that you control so that you know where your data is at all times, and that has security and privacy baked in.


Sourced by Andy Lilly, CTO and director, Armour Comms


The UK’s largest conference for tech leadership, Tech Leaders Summit, returns in September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Data Privacy