Anyone who knows your WhatsApp number can tell if you only use the mobile app or its companion web or desktop apps, a security researcher has found.
Tal Be’ery, co-founder and CTO of crypto wallet maker ZenGo, found that it is possible to determine whether a user on WhatsApp uses more than the mobile app. Be’ery demonstrated and proved his findings in tests conducted with WhatsApp numbers checked by TechCrunch.
While revealing where users are running WhatsApp isn’t the most dangerous information leak, digital security experts agree it’s not an ideal situation and, in some cases, could help hackers target WhatsApp users.
“[It] it could be useful for gathering intelligence and planning an attack,” cybersecurity expert Runa Sandvik told TechCrunch, referring to how hackers could tell their target is using WhatsApp on a desktop computer , which is generally an easier target for compromise than a mobile phone.
“It at least tells you more about the devices they’re using and how ‘accessible’ their WhatsApp setup might be,” said Sandivk, who is the founder of Granitt, a startup that aims to educate at-risk people, such as journalists, activists and politicians.
Meta spokesperson Zade Alsawah told TechCrunch that the company received Be’ery’s research and concluded that the app’s current design “is what users want and expect.”
“It used to be that your phone had to be online to receive messages and that provided significant limitations for people. With multiple devices, users can send and receive their private messages across all devices privately with end-to-end encryption — and that’s the direction we’ll continue to take,” Alsawah said in a statement.
Harlo Holmes, chief information security and director of digital security at the Freedom of the Press Foundation, said being able to tell what devices people use WhatsApp on is a privacy issue.
Referring to the ability to turn off read receipts and typing tokens on WhatsApp, Holmes said that WhatsApp should offer a similar opt-out feature for device tokens.
“Presence-related metadata should be protected and participated. Similar to geolocation, absent status and read receipts. this is no different,” Holmes told TechCrunch.
In practice, Holmes said, “perhaps a hunter could infer that I’m home or not, depending on the device I was using.”
Be’ery wrote in his blog post explaining the data leak that it is a consequence of the way WhatsApp is designed: When someone sends a message to another WhatsApp user, their device generates a different session key for each device the receiver uses, thus telling the sender how many devices the receiver uses.
Anyone can learn this kind of information by using WhatsApp on the web and inspecting traffic with a browser’s developer tool, Be’ery explained. All a malicious attacker has to do to discover this information is add the target to their contact list, and this works even if the target blocks the attacker’s number, as Be’ery showed to TechCrunch.
In other words, there is nothing a person can do to prevent others from seeing this kind of information. And WhatsApp isn’t going to change the way the app works either — at least for now.
