There is absolutely no way to hide whether you are online on WhatsApp, not just to your contacts, but literally anyone on the internet. This leaves the door open for stalkers to find out whether a user is online, and potentially even if that user is talking to someone else.
On Tuesday, cybersecurity company Traced published research showing how easy it is for anyone to figure out if WhatsApp users are online or not. The report details how there are several apps and websites that allow anyone to simply enter a number and see whether the number's owner is online on WhatsApp. Some sites even let people enter two numbers and see when their online status overlaps.
WhatsApp offers a feature to control your "status," which users may think refers to their contacts seeing if they are online or not. But you simply cannot hide whether you are online, not to your contacts, nor to anyone. That's because on WhatsApp, "status" refers to status updates on the app. It works similarly to a Facebook post or an Instagram story: you can fine-tune which contacts see your message, but the feature does not let you appear offline. The options are also framed as choosing who can see your status updates; although you can select no contacts, effectively hiding them from everyone, there's no dedicated option to simply hide your status updates either.
Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation and one of the world's foremost experts on stalkerware, warned that this can enable stalking behavior.
"To begin with, this setting does not make it easy to simply not share your online status with anyone. It is framed in such a way as to imply that of course there are people with whom you still want to share your status," Galperin told Motherboard in an online chat. "And if even that doesn’t work correctly, then it is actively misleading and potentially endangering WhatsApp users."
In a test, I set the status setting to "Only Share With…" and did not select any contacts. Despite that, a colleague was able to see me as "Online" both on their WhatsApp mobile app and on a site that offers anyone the ability to check if a number is online on WhatsApp. When I closed the app, my colleague did not see the "Online" status within their app, and my number was flagged as "Offline" on the website. My status, set to a picture of my cat, was not visible to my colleague.
In other words, WhatsApp's "status" privacy setting does not do what most users are likely to expect when given the option to control their status settings on a social network, and some users may mistakenly believe it affects whether they appear online or off.
As Traced found out, there are services that allow anyone to monitor two numbers at the same time and compare their activity. This way, it's possible to infer if those two people are talking to each other on WhatsApp.
A WhatsApp representative explained that the app is designed to always let users see whether others are online or not. In an official FAQ about configuring privacy settings, WhatsApp says that "there is no way to hide when you are online or typing."
For Galperin, "that seems like a problem rather than a fucking feature," she said.
"We listen closely to feedback from users and we’ve heard that knowing when someone in their contacts is 'online' provides a sense of closeness when friends and family are chatting with one another," a WhatsApp spokesperson told Motherboard. "We provide a setting to allow people to choose who can view the time a user was 'last seen' within WhatsApp. To help prevent abuse, we regularly work with app stores to seek the removal of apps like these that attempt to violate our terms of service."
Do you reverse engineer and research vulnerabilities in mobile apps? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, lorenzofb on Wickr, OTR chat at email@example.com, or email firstname.lastname@example.org
Even if a user sets the "last seen" setting to "Nobody," other WhatsApp users—as well as some online sites that offer this service—can see whether a specific number is online.
This is not the first time researchers notice the privacy risks of not allowing users to hide whether they are online or not. In 2014, researchers at the University of Erlangen-Nuremberg published a project that they hoped would "raise awareness of the various kinds of privacy-related information that can be queried using a phone number without any user authorization."
UPDATE, April 15, 10:50 a.m. ET: WhatsApp investigated the website that Motherboard used in the test and found that it was using several WhatsApp accounts to check whether others were online.
“We have banned the WhatsApp accounts associated with this website, requested Google remove their app from the Play Store, and sent the person behind it a cease and desist order,” a WhatsApp spokesperson told Motherboard. “Automating WhatsApp’s features to scrape information is a violation of our terms of service and we will continue to take action to protect the privacy of our users and help prevent abuse.”
Joseph Cox contributed reporting.
Subscribe to our cybersecurity podcast, CYBER.