whatsapp online status flaw

If you’re a WhatsApp user, your online status could be used to see who you’re talking to and when you go to sleep.

WhatsApp is a great way to connect with your friends and family around the world, but it turns out it may also be a great way for a hacker or stalker to keep tabs on when two people are communicating. That’s thanks to a new flaw discovered in the app by software engineer Rob Heaton, who was able to exploit the flaw by creating a Chrome extension with a minimal four lines of code.

The flaw came about because of the fact that as part of WhatsApp, your “online” status — whether you’re online or not — can be checked by any of your contacts. What that means is that when you go offline and then come back online to read a message, that action is being logged. Those online and offline actions from both participants in the conversation can then be correlated to identify when two people are messaging each other.

The code could even be tweaked to correlate more than two people messaging each other, and while that would require a little more code, the principle remains the same. Using the data collected, Heaton was even able to identify when users were going to sleep by seeing their first and last “online” statuses for the day.

Unfortunately, there’s really nothing you can do to prevent hackers from being able to spy on you in this manner. Using WhatsApp, you can set the app to show your “last seen” statuses to either everyone, only contacts, or no one, but no such feature exists for your online status, leaving things somewhat open.

Heaton went on to note that it would be pretty easy for this information to be collected on a mass scale, then sold to companies for the purpose of advertising. For example, people with strange sleeping patterns might be good candidates for sleeping pill advertisements.

While this is certainly a privacy issue, it’s not clear if WhatsApp will ever make a fix. The online status feature has been a part of WhatsApp since its inception, and the company may not want to change it. Still, it would be pretty easy to allow users to choose who sees their online status, as they can with their “last seen” status.