Anyone who knows your WhatsApp number can figure out if you are only using the mobile app, or its companion web or desktop apps, a security researcher found.
Tal Be’ery, the co-founder and CTO of crypto wallet maker ZenGo, found that it’s possible to determine whether a user on WhatsApp is using more than just the mobile app. Be’ery demonstrated and proved his findings in tests performed with WhatsApp numbers controlled by TechCrunch.
While revealing where users have WhatsApp running is not the most dangerous leak of information, digital security experts agree that it’s not an ideal situation, and, in some cases, it could help hackers target WhatsApp users.
“[It] could be useful for information gathering and plotting an attack,” Runa Sandvik, a digital security expert, told TechCrunch, referring to how hackers could figure out that their target is using WhatsApp on a desktop, which is generally an easier target to compromise than a mobile phone.
“It at least tells you more about the devices they use and how ‘accessible’ their WhatsApp setup may be,” said Sandivk, who is the founder of Granitt, a startup that aims to train at-risk people like journalists, activists and politicians.
Meta’s spokesperson Zade Alsawah told TechCrunch that the company received Be’ery’s research and concluded that the app’s current design “is what users want and expect.”
“It used to be the case that your phone had to be online to receive messages and that provided significant limitations for people. With multi device users can send and receive their personal messages across devices privately with end-to-end encryption — and that’s the direction we’ll continue to take,” Alsawah said in a statement.
Harlo Holmes, the chief information security officer and director of digital security at the Freedom of the Press Foundation, said that being able to tell on which devices people are using WhatsApp is a privacy issue.
Referring to the ability to disable read receipts and typing indicators on WhatsApp, Holmes said that WhatsApp should offer a similar opt-out feature for device indicators.
“Presence-related metadata should be protected and opt-in. Similar to geolocation, away status, and read receipts; this is no different,” Holmes told TechCrunch.
In practice, Holmes said, “perhaps a stalker could deduce that I’m at home or not, depending on which device I used.”
Be’ery wrote in his blog post explaining the data leak that it is a consequence of the way WhatsApp is designed: When someone sends a message to another WhatsApp user, their device creates a different session key for each device the receiver is using, thus telling the sender how many devices the receiver is using.
Anyone can find out this kind of information by using WhatsApp on the web and inspecting traffic with a browser’s developer tool, Be’ery explained. The only thing a malicious attacker has to do to find out this information is to add the target to their contact list, and this works even if the target blocks the attacker’s number, as Be’ery demonstrated to TechCrunch.
In other words, there is nothing a person can do to prevent others from seeing this type of information. And WhatsApp isn’t going to change how the app works either — at least for now.
PSA: Your chat and call apps may leak your IP address