WhatsApp is, without a doubt, the most popular messaging app in the world and it often finds itself in the crosshairs of hackers. Here’s yet another security loophole that allows deep tracking of a user’s habits.

Hackers can now track your WhatsApp usage

Software engineer and penetration tester, Robert Heaton, has just discovered a powerful loophole present in WhatsApp. This loophole takes advantage of the fact that WhatsApp displays user data such as “last seen” and online status publicly.

The “last seen” feature is enabled by default and users don’t bother to disable it. As far as the “online” status goes, there’s no way for WhatsApp to disable it altogether.

While this data may seem unimportant to the average user, it’s enough for a hacker to snoop on you.

Furthermore, the hacker doesn’t need to have sophisticated hacking equipment, access to a normal laptop and an internet connection will suffice.

Snooping through a Chrome extension

Robert performs the “attack” through a laughable 4 lines of Javascript code. Here’s the code for the Chrome extension.

setInterval(function() {
var lastSeen = $(‘.pane-header .chat-body .emojitext’).last().text();
console.log(Math.floor(Date.now() / 1000) + “, ” + lastSeen);
}, 1000);

It keeps a watch on your activity and outputs the data in the inbuilt Console of Chrome.

You can then use this data to analyze and get a rough estimate of your target’s sleep patterns and usage habits.

You can also use this data to get a correlation between usage patterns of 2 individuals. Similar usage times will suggest that they are messaging and chatting with each other.

How the attack takes place?

Here’s how the attack takes place.

• Log into web.whatsapp.com.
• Check the target’s status and ascertain whether or not they are online.
• Run the Chrome extension and record the contents of your activity through web.whatsapp.com.
• Draw graphs detailing the messaging habits of your target.
• Sell this information to interested companies.

This kind of snooping is surprisingly effective considering it’s just a proof-of-concept. If you can introduce advanced algorithms and more automation features, it will become a data mining powerhouse.

Unfortunately, there’s no way to protect against this kind of snooping since the “online” feature can’t be disabled. Moreover, you can’t even know that someone’s snooping on you with this method because they will still be using their own details.

For more WhatsApp security news, follow and like us on Facebook and Twitter.