This secret code is used in WhatsSpy public to act like it’s a normal WhatsApp client. This secret links a phonenumber to an WhatsApp client. The requirements mention a jailbroken iPhone, rooted Android phone, or using WART but this is just to retrieve a secret code used in WhatsApp to communicate between the client (your application on your phone) and the server (somewhere in a big data center). WhatsSpy Public is in fact a regular web-application (it runs on a server or “the cloud”) and the tracker itself is just a PHP (programming language) based script.
This is a problem by design and need to be fixed. By abusing the protocol it listens for any updates from any users you added to WhatsSpy Public. But once logged in it starts doing privacy invasive things. Of course privacy is already a heavily discussed topic at Facebook and WhatsApp, but now when a complete stranger can know when I wake up is going way too far if you ask me… How does WhatsSpy Public work?Īs told before, WhatsSpy Public acts like a WhatsApp clients to the WhatsApp servers. I don’t want to retrieve a coupon on some drug that makes me sleep better, definitely not from some stranger (beside WhatsApp themselves)! If not done already, some random person could just try to subscribe to all WhatsApp users and retrieve their online/offline status meanwhile a lot of WhatsApp users (like myself) would thought my privacy was protected by these options! Imagine selling this information for marketing purposes, this just creeps me out. Not that my Proof of Concept could handle it, it’s just to give the WhatsApp user some insight of what is actually is going on. You can basically try to subscribe to all WhatsApp users out there in the world, and WhatsApp should just happily return this information. This subscription system is not limited to one person either. The message “online” mentioned above is in fact a subscriber service (you tell the server you want any updates about the offline or online status of this person and the server sends updates if they occur).
But once logged in it starts doing other things. It acts like a normal WhatsApp application to the servers of WhatsApp. Well it’s just a Proof of Concept of how broken this design actually is. But again, there is a catch: these events can be followed by everyone on WhatsApp. You might think, well it’s a contact of mine, I willing to let him know that. You might think, well I put all options to nobody and I’m privacy-wise safe to go! But there is a catch, a pretty big one:Įven when you’ve set all options to “nobody” you can’t prevent the following message from showing up in WhatsApp (note the online message): You can edit any of these three options (“last seen”, “profile photo” and “status”) and choose between “Everyone”, “My Contacts” and “Nobody”.
0 kommentar(er)
