Building a Database of WhatsApp Users Can Be Pretty Easy
Image: Aishath Nasir/Shutterstock

Building a Database of WhatsApp Users Can Be Pretty Easy

A researcher showed how it’s possible to grind through phone numbers, see if the person is using WhatsApp, and then grab some user details.
May 15, 2017, 2:00pm

You can learn a surprising amount about someone through WhatsApp, even if you don't actually talk to them.

At least, that's according to the work of a security researcher who found you can grab the profile photo and online status of a number of WhatsApp users, and essentially make a database of those who use the service and haven't turned on certain protections.

The issue itself—of being able to enumerate information on users with few or no limits—is not a new problem; researchers have done similar things with other apps. But it still highlights a potential privacy issue that affects one of the most popular messaging platforms on the planet.

"Creating a database of phone numbers, profile pictures and status information of almost all users of WhatsApp turns out to be very easy. The user doesn't even have to be added to your contacts," security researcher Loran Kloeze wrote in a blog post last week.

The trick uses the web-browser version of WhatsApp, and the service's undocumented API. By fiddling around with that, Kloeze found it was possible to use a script to request data on a user if you have their phone number. The thing is, WhatsApp seemingly doesn't severely limit the number of requests you can make, meaning Kloeze was able to grind through hundreds of possible phone numbers at speed, and generate a list of successful hits.

A sample of some of the data Kloeze collected. Image: Loran Kloeze.

Again, this may only really be a potential privacy risk; some people may not have an issue with the collected data. And WhatsApp users can decide to hide their profile picture and online status. Regardless, the research does provide some interesting possibilities.

"The database can be queried in such a way that it tells me when a phone number was online and it tells me what profile picture belongs to the phone number. After a few months it can tell me how often you have changed your profile picture and into what pictures," Kloeze writes.

Kloeze says he informed Facebook, WhatsApp's owner, of the trick, and the company said the issue was not within the scope of its bug bounty program.

A WhatsApp spokesperson told Motherboard in an email, "We build WhatsApp to be simple, reliable, and secure, and we appreciate feedback that makes our product better. Behind the scenes, WhatsApp detects abuse based on measures that identify and block data scraping. We are constantly evaluating and implementing measures that improve people's security across mobile and desktop. We also provide user controls in Settings for added privacy."