Sometimes, the smallest of things can lead to the most profound invasions of privacy. In this case, the "last seen" and "online" status on your WhatsApp profile can be used to make several inferences about your private life, as noted by one software engineer.
As Rob Heaton points out, the use of an extension that tracks the changes in your WhatsApp status can be used, if tracked consistently over a long period of time, to potentially indicate when you go to sleep and wake up, and perhaps with whom you talk.
While WhatsApp offers an option to qualify more precisely who can see your last seen status from among everyone, just your contacts, and no one, your status when you"re online is visible to everyone. Heaton suggests using this seemingly small invasion of your privacy to create a log of your activity on the service. If an attacker is using WhatsApp Web, they can easily create a Chrome extension to do so every few seconds.
Such an extension would also be relatively easy to create, with Heaton suggesting the use of the following four lines of JavaScript code:
setInterval(function() {
var lastSeen = $(".pane-header .chat-body .emojitext").last().text();
console.log(Math.floor(Date.now() / 1000) + ", " + lastSeen);
}, 1000);
Using this log, one may collect large amounts of data on your activity and, thus, be able to later analyse it to get an idea of when you sleep and at what time you wake up on a particular day of the week.
For an even more powerful set of stalking skills, you could modify the extension to log the activity of multiple individuals. The extension could then correlate the activity of two users during a specific time period as an indication that they"re talking to one another, giving hackers an opportunity to maybe work out who you talk to, how often, and for how long. Heaton includes a rudimentary drawing as a graphical depiction of how such a scheme would work, as shown above.
Alongside the ample opportunities such an exploit provides to stalkers, Heaton suggests such a scheme could also be used to collect data on large scales and onsold to health companies, which may be very interested in individuals" sleeping patterns.
Of course, this particular exploit isn"t a vulnerability in the sense that we"ve come to expect. It doesn"t require hacking into a company"s servers or even advanced knowledge of coding but it is a good example for the need of much stricter privacy controls on social media and messaging applications. The slightest of details about your usage can be used to glean a information about your habits and online interactions.
Source: Rob Heaton via The Next Web