In the previous blog post, we have seen that this is quite simple to hack the WhatsApp online status of a contact. A simple Online or last seen yesterday at 19:00 insight can be reverse engineered to leak phone habits at a couple of seconds accuracy.

There is an even more silly thing not mentioned yet: You can track any mobile phone ! So let’s play and scale to track 5000 random numbers.

Like previously, I am sharing the source code as a PROOF OF CONCEPT. You can jump straight to the end if you are more curious about the results than by the technical stuff I’m about to resume. We are reusing the previous code with Node.js, Puppeteer & Grafana.

My Friends, My contacts

WhatsApp reads the phone contacts and lets you chat with the ones also enrolled. As a result, we can openly register a random phone as a contact to find him on WhatsApp.

While there is no consent around adding a number to your phone contacts list, WhatsApp protects users by proposing a consent to reply or report as spam at the first message interaction. It helps fighting bots for sure. Surprisingly, it doesn’t cover the Last Seen status.


Outch, why am I seeing this last seen data?

As seen previously, there is a privacy setting to prevent this. By default to Everyone and nobody configures it.


WhatsApp disables the Last Seen feature in both direction if you don’t want to share yours

Playing around with 5000 contacts

Now, I wonder how far we can go with this weakness. I don’t want to track individuals and won’t ask for the consent of 5000 persons like I could during the first hack.

So I will try to challenge the stuff, compute a couple of anonymous statistics and drop the data. Let’s scale and track 5000 phones.

Generating 5000 contacts

To scale a proof-of-concept with 5000 contacts, I need to register 5000 contacts on my phone! And I won’t do it by hand.
To do this, I browse to my google account from the desktop website, head to the Contacts page to find a button labeled import a CSV ❤️.

The documentation looks super messy and too big. I skip it and export my pre-existing contacts to see the data model. And the data model is complex for real. After a couple of tries, I manage to import a couple of contact with the least amount of fields filled possible.

Name,Given Name,Additional Name,Family Name,Yomi Name,Given Name Yomi,Additional Name Yomi,Family Name Yomi,Name Prefix,Name Suffix,Initials,Nickname,Short Name,Maiden Name,Birthday,Gender,Location,Billing Information,Directory Server,Mileage,Occupation,Hobby,Sensitivity,Priority,Subject,Notes,Language,Photo,Group Membership,Phone 1 - Type,Phone 1 - Value
ContactA,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Mobile,06 01 02 03 04
ContactB,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Mobile,06 01 02 03 05
ContactC,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Mobile,06 01 02 03 06

Additional Name Yomi ❓


In case you are more used to CSVs in Excel…

So I code a script to generate the CSV of 5000 contacts right away⬇️.


A bunch of 5000 French numbers

And I import it to Gmail.


Why the hell this is so easy, Google, are you mad?

Finally, I check that my phone syncs them (my poor phone took one entire hour to sync, might not handle 5k more contacts).

Data acquisition

I modify my code made before to loop through the imported-unknown 5000 contacts and I hit run.

I leave my crawler for a couple of days (6 days straight with a dumb code! Seriously, there is no security in there). And here is a lovely data viz in the Grafana dashboard reused from the previous work.


With an initial sample of 100 contacts. Each ‘drops to 0’ indicates that the given contact checked his Smartphone

We can also test if a phone number is registered on WhatsApp by querying the app, as presented in the screenshot below.

Conclusion

I could manage to keep up scanning 5000 phones during a continuous month with an average web scraping code.

WhatsApp is clearly not checking and preventing abuse of this functionality. I could manage to use 15 000 times the search engine to retrieve the last seen data in one single web session.
I scraped a 112k records dataset for the study.

My exploration shows we can:

  • Find out if a phone number is(was) registered on WhatsApp
    • If a phone number is(was) valid and assigned in the telephony network
  • Retrieve the user WhatsApp profile picture (a big format version is extractable)
  • Retrieve the last seen data itself

From the 5000 contacts, it is essential to point out that I don’t know how many numbers are valid;
I used the French 06xxxxxxxx range (or 00336xxxxxxxx www) which came into saturation 10 years ago (So was introduced the 07xxxxxxxx range at that time). We could maybe suppose at least 80% of valid phone numbers.

Here is a viz of users grouped by last seen date to give a sight about WhatsApp usage. I gathered the data around the first week of February.


The drop from 1357 active users during the last month to 281 in the last week is quite significant and could be linked to the shit storm that WhatsApp had during late December 2020. I’m somewhat not inspired to mine the data further. I guess this is it. Thanks for reading.

Messenger, Signal & Telegram (bonus)

(Facebook) Messenger doesn’t use phone contact numbers to find users as they rely on Facebook accounts. A completely different design as it is a social network and less of a mobile VOIP service. I expect many similar hacks and data acquisition to do around Messenger. But that’s another case, for later?

Signal and Telegram are more similar to WhatsApp in their way of handling contacts. However, they don’t leak so much.

Telegram last seen data is less available publicly and is vague like within a month. The search engine was not leaking to estimate the number of users during my study. But it seems this is now possible as I am writing this six weeks later. I’m pissed off a little bit.

For Signal, there is no last seen functionality at all; This is clean. But counting the users was simple. Signal features a {x} is on Signal! notification when a contact has joined. It helps to monitor users’ conversion to signal.

94 users out of 5000 were on Signal at day 1, and 1-2 newcomers every day during the following days. Nobody uses Signal in France, Elon Musk had a reduced influence apparently.


Yes, it’s a picture. Trackers free