As all of you know the probably most used messenger out there, WhatsApp comes with the possibility to use it in the browser for quite some time.
Improved UX through faster and easier typing on the keybpard yadda yadda yadda
Logged in to web.whatsapp yourself
As shown in a PoC below you can enumerate over basically every number ( even if it is not in your contact list because why not ) and collect all the data for each person. This includes:
- phone number
- profile picture
- online/offline status
This can be done by basically everyone at home and since it's not bound to the contacts in your list you can create a whole database for e.g. your country, which reguarly updates. After some time you can easily do some quick data analytics for each person and their behavior:
- How often is the profile picture changed
- Same with status
- avg. active times throughout a day/month/...
a little extra: Facial recognition. Imagine taking a picture of a complete stranger and feed it into your DB, it may return all the above data. That's nice isn't it
This privacy breach was shown to WhatsApp already with the reply:
"We know, it's not a problem"