‘Large-scale data collection is possible via undocumented WhatsApp API’

Spread the love

Security expert Loran Kloeze has explained on his blog how to build a database containing the phone numbers, profile pictures and status information of almost all WhatsApp users. This appears to be possible via an undocumented api of WhatsApp Web.

According to Kloeze, the data collection is possible because the API of the web version of WhatsApp sends someone’s phone number to the server and then sends the profile picture, status text and information about the user’s online status back to the browser. According to Kloeze, the server returns this information for every phone number imaginable, including numbers that aren’t in someone’s contact list. This makes it possible to create a database with phone numbers and profile pictures of third parties and to reconstruct when the user was online with WhatsApp.

Kloeze has used a self-written script to request the status information of a large number of telephone numbers. He used three API calls. The first requested the urls of the profile pictures. The second one requested the WhatsApp user’s status text and the last api call allowed him to query whether someone is online or offline.

Using these api calls in a loop, Kloeze was able to request information from any phone number of any WhatsApp user. This data collection is only possible for users who have not adjusted their privacy settings in WhatsApp and, for example, have not hidden their profile picture and status info. This is probably the case for the vast majority of users.

Kloeze has expressed his concerns on his blog about how much this vulnerability could put users’ privacy under pressure. The security expert has shared his findings with Facebook, the owner of WhatsApp. Kloeze was told in an email that Facebook is aware of the possibility of the data collection and does not see it as a problem. Based on this response, Kloeze has decided to publish his findings on his blog.
