Adulterers better act extra careful when using WhatsApp to pull their shenanigans. It turns out the Facebook-owned messenger suffers from a vulnerability that can be exploited to spy on your sleeping patterns – and find out precisely at what time you go to sleep and wake up.
What is particularly disturbing is that practically anybody with a little technical understanding and a spare laptop can abuse this flaw. The issue stems from the WhatsApp’s last seen and online status features which make it possible to continuously check up on your contacts for the last time they were online.
The worst part, though, is that there is nothing you can do to stop attackers from monitoring your activity. While WhatsApp has an option to show your last seen status to everyone, only your contacts, or no one, there is no way to disable the online status feature which reveals you’re actively using the service.
This might seem rather harmless, but logging all of this data for later analysis could reveal quite a bit about the way you spend your time – and especially when and how much you sleep. And this is precisely what one resourceful developer did.
The discovery comes from software engineer Rob Heaton, who has made other similar security-related findings in the past.
To demonstrate how this data could be abused for malicious purposes, the researcher imagines a scenario in which he builds a Chrome extension with the sole purpose of watching and recording the online activity of his WhatsApp contacts using the service’s web-based app.
This makes it possible to guesstimate when a person wakes up and goes to sleep as well as exactly how much sleep they’re getting.
Things get much more spookier when you cross-reference the online activity patterns of one person with those of another.
Overlapping the data of multiple people could make it possible to find out if your contacts are talking to each other.
For instance, if a person goes online to drop a line to one of their contacts, that contact is likely to pop up online to respond; once this starts to turn into a pattern, it becomes possible to compare this online activity to figure out how likely it is the two people were in a conversation with each other.
Heaton has shared some graphs to show how this might look:
The security researcher further warns that this data can also be easily collected on a mass scale and then sold to third-party companies for advertising purposes. People with irregular sleeping patterns are, after all, excellent customers to sleeping pills manufacturers.
For context, the flaw outlined by Heaton is a problem messenger services have been dealing with for ages – and one that affects many other communication apps. In fact, crafty researchers have already exploited this vulnerability to pull the same trick on Facebook.