[HN Gopher] How a WhatsApp status loophole is aiding cyberstalkers
___________________________________________________________________
How a WhatsApp status loophole is aiding cyberstalkers
Author : dsr12
Score : 82 points
Date : 2021-04-14 16:55 UTC (6 hours ago)
(HTM) web link (traced.app)
(TXT) w3m dump (traced.app)
| grawprog wrote:
| I really hate the online notification in WhatsApp because it's
| not possible to disable it. Even Facebook lets you appear offline
| if you want to. It's been a standard feature of messaging apps
| since pretty much as long as they've existed. Why whatsapp chose
| to make this setting like this has always just made my brain
| hurt.
|
| Does anyone actually like that every time you open WhatsApp any
| person who has WhatsApp installed and has your number in their
| contact list, they can see that you opened the app with zero way
| to disable it? That would be bad enough on a desktop app, on a
| mobile app it's completely and utterly fucked.
| gambiting wrote:
| Wait, WhatsApp has status notifications??
| bellyfullofbac wrote:
| I wonder what status your contacts see if you have WhatsApp Web
| open...
|
| If someone really needs a workaround, a hack would be to have a
| browser instance somewhere connected to WA Web and if necessary
| some sort of virtual mouse randomly clicking contacts so WA
| thinks you're actually active. That way you'll always appear
| online to your contacts, and they won't know what your real
| status is.
| g_p wrote:
| Whatsapp web doesn't seem to update the presence status, as
| I've seen people ask why others are able to reply without
| their last-online time updating.
| segmondy wrote:
| You can disable it so other's don't know if you're online, you
| also won't be able to see if other's are online.
|
| Settings, Account, Privacy, Last seen - (options are everyone,
| my contacts, nobody). Set it to nobody
|
| You can also turn off your read receipts.
| ffpip wrote:
| > You can disable it so other's don't know if you're online
|
| You cannot do this. Hiding "last seen" does not stop whatsapp
| from showing you online. It will always show you as online
| (even to people not in your contacts) if you open the app
| while being connected to the internet.
| miek wrote:
| Unfortunately, this doesn't work. That setting change
| prevents people from seeing "last seen", which is different
| than "online". The article talks about this as well.
| praseodym wrote:
| This still exposes whether you are online, just not the last
| seen time.
| amelius wrote:
| Yes, I hate it too. My boss doesn't need to know when I'm
| texting, and they can see this even if they don't use any
| cyberstalking software.
| [deleted]
| prpl wrote:
| I turn off wifi and cell service if I want to open the app
| surreptitiously. I'm not sure if it reports "last seen" in that
| scenario but at least there is one way to check the app without
| reporting.
| grawprog wrote:
| Yeah I do that too. It's a hacky work around though and I'm
| still not entirely sure it won't show you online briefly once
| you turn data on again. I know it shows you as online if you
| answer a message using the notification bar. I tested that
| one. It happens as soon as you click reply.
| bellyfullofbac wrote:
| Having 2 phones and 2 accounts I just checked.
|
| I opened Whatsapp at xx:00, other phone says "Last seen
| xx:00". Put phone to airplane mode, and at xx:03 I opened
| WhatsApp in that mode, then put WA on background (without
| "killing" it from the task switcher) and I immediately
| turned off airplane mode.
|
| I checked on the other phone, and it still said "Last seen
| at xx:00". So, it seems that line is honest, since I was on
| airplane mode, the network didn't "see" me.
| grawprog wrote:
| That's good to know at least. Honestly, I get overly
| paranoid sometimes about such things. It's hard to know
| what apps do in the background these days.
| dorkwood wrote:
| > Acceptable forms of these apps can be used by parents to track
| their children. However, these apps cannot be used to track a
| person (a spouse, for example) without their knowledge or
| permission unless a persistent notification is displayed while
| the data is being transmitted.
|
| Why is it ethical to track children, but not adults? If phones
| existed when I was a kid, I would have been horrified to discover
| my parents had installed spyware on my phone.
| mLuby wrote:
| How much time can pass before it's unethical for a guardian
| _not_ to know where their ward is? 1 hour is fine, but 1 day
| would be concerning, and definitely 1 week is too long. (It may
| be related to how long the ward might survive without finding
| shelter or water.) So some degree of tracking is required.
|
| However, ethically speaking, we should strive to track as
| little as possible, since the whole point is to allow the child
| to develop into an independent, self-responsible adult.
|
| What's deemed acceptable to maintain control over a child has
| been diminishing (e.g. corporal punishment). Maybe location
| tracking should be the next addition to a child's Bill of
| Rights (and then we can talk to our Big Brother babysitter
| about knocking it off too).
| lsiebert wrote:
| In general or this shit specifically? I'm not sure why you
| would need this sort of status for kids.
|
| In general though, well a natural or man made disaster can
| happen suddenly, and you probably want to know where your kid
| is then, especially if you are fleeing for your life.
|
| Also, kids get kidnapped. Some kids run away. Also there are
| bad people in the internet, horrible people that find kids
| attractive and then groom children or teens.
|
| Having a kid, and I don't myself have one but my sister does,
| seems to involve a lot of worrying about bad shit happening.
| Kids don't always make the best decisions on their own. Neither
| do teens; and if someone is late for curfew, checking the app
| when they don't answer there phone is better than frantically
| calling hospitals.
| scrollaway wrote:
| Everything you said is applicable to adults as well though.
| zimbatm wrote:
| I haven't technically validated it, but it looks like this is
| also the case for the Matrix protocol. If a user is in a public
| room, then their presence gets encoded as part of the message
| history. If the room is fully public, anybody can come along and
| get the historical info.
|
| It's possible to turn off presence but only on the server level.
| skrebbel wrote:
| I'll never understand this kind of framing. Why not "How
| cyberstalkers are using a WhatsApp status loophole"? I mean it's
| not like WA added the loophole in an enthusiastic attempt to
| "aid" cyberstalkers.
| [deleted]
| dvfjsdhgfv wrote:
| Because every little detail in WhatsApp is geared towards
| getting a certain result, it's meant to influence your behavior
| in a way. In the case of messaging apps, the aim is to make you
| use them longer/more frequently. The privacy of the user has
| zero importance here.
| lol768 wrote:
| Because, to be honest, it was entirely foreseeable. It's awful
| software engineering practice to just gloss over and ignore the
| privacy implications of this sort of feature!
|
| These risks should've been brought up during code review (if
| not when the feature was designed and specced) and there
| should've been an opt out added to the Privacy settings dialog.
| ParanoidShroom wrote:
| There seems to be a hive mind attitude that bashing big tech is
| the "right thing" to do. And sensation ofcourse. "a typical
| example of what happens when companies don't think about
| abusive relationships when they're making their design
| decisions.". I'm annoyed about making assumptions and exposing
| them as truth. Who said they didn't? I'm not defending the
| creepy abuse of those people at all, but I feel the focus is
| aimed at the wrong creator here.
| dvfjsdhgfv wrote:
| I'm not sure if the hive mind is at play here. You should
| have the right to privacy, period. Some companies/messaging
| apps respect that, some don't. Users react accordingly. Plain
| and simple.
| ParanoidShroom wrote:
| I agree, and you do have that right, it's a gradient and
| yes this is up for debate. It really isn't this black and
| white.
|
| That being said, I would like to see a platform for
| discussion from BOTH parties instead of blogposts with no
| real communication.
| vzaliva wrote:
| Stating the obivious (with quote from the areticle):
|
| "As an alternative to changing your number, you could try
| switching from WhatsApp to Signal, a popular, privacy-focussed
| instant messaging app. It's very similar to WhatsApp but built
| with greater concern for privacy and security. It does not have
| the same online or last seen statuses as WhatsApp and can't be
| tracked in the same way."
| Syonyk wrote:
| And everyone in your contact list, who has Signal installed,
| gets a message:
|
| Vzaliva is on Signal!
|
| At least if you're using the default settings, which is safe to
| assume most installs will.
|
| On the plus side, Signal is now common enough that it's no
| longer "Oh. That weird encrypted app that probably means you're
| a hacker." On the minus side, it's still a centrally managed
| service, and as most intelligence agencies will point out if
| asked, the message content being encrypted doesn't really
| bother them. Who you talk to, how often, and with what
| patterns? That's good enough for most of what they need to
| know, and I'm far from confident that Signal encrypts the
| metadata well enough to deter analysis.
|
| Matrix at least has the advantage of spreading the traffic out
| and making it a bit harder to analyze...
| renewiltord wrote:
| Yeah, why does it do that? Seems kind of weird that if you
| have my phone number you automatically get this notification
| that I installed an app. Not upset or anything because I
| don't mind. It just felt a bit skeevy.
| scrollaway wrote:
| The whole "protecting children" thing ... these apps are no
| better when used to watch your kids than they are when used to
| spy on your spouse.
|
| Spying on kids is just as creepy as spying on a spouse imo, and
| the whole "it comes from a place of love and concern" can apply
| to both just as well. It's all excuses by overzealous parents.
| Shit should be outlawed, period, none of these creepy exceptions.
| amelius wrote:
| Would it be possible to run WhatsApp in a sandbox, and let the
| sandbox perform the messaging through an API which other (more
| secure) chat clients can use to relay messages to/from the
| WhatsApp network?
| rovr138 wrote:
| Matrix has a whatsapp bridge
| amelius wrote:
| Interesting. How well does it work in practice?
| GekkePrutser wrote:
| It works reliably, but it does require WhatsApp to run
| somewhere else on Android (or iOS!), as it simply simulates
| a WhatsApp Web client (which requires the real WhatsApp to
| run somewhere).
|
| So it doesn't really solve this problem if you connect to
| the WhatsApp instance on your phone and use that. I have
| WhatsApp installed on a Raspberry Pi for this with Emteria
| OS (Android build for raspberry pi)
|
| Also, I believe WhatsApp Web being connected makes you
| appear "Online" all the time. While this is a good solution
| to hide your actual online status, it may be confusing for
| people you talk to. They might think you're ignoring them.
|
| However, Facebook will probably use these stalking apps as
| an excuse to lock down any whatsapp web integration as some
| of these tools use the same method. So I doubt it will
| continue working for long.
| dvfjsdhgfv wrote:
| > I believe WhatsApp Web being connected makes you appear
| "Online" all the time.
|
| Somewhere else in this thread people claim the opposite.
| GekkePrutser wrote:
| Well I haven't tested it but I have seen that when I open
| WAW people suddenly start pinging me. So I assume this is
| why.
|
| Either way it's not a big deal as it hides your real
| status either way.
| bellyfullofbac wrote:
| I just loaded WhatsApp Web (I authenticated the browser a
| few days ago), and on my second phone/WA account I can
| see my main account appear as online.
|
| If the WAW tab loses focus, after a while it does change
| to "last seen...". On focus, it immediately says "online"
| again.
| amelius wrote:
| Then probably the bridge doesn't work like a browser. It
| keeps the (probably virtual) window in focus in the
| background.
| throwaway888abc wrote:
| Meh, just metadata
| suprfsat wrote:
| Previously in metadata:
| https://news.ycombinator.com/item?id=5854593
| _jal wrote:
| If you enjoyed that, stay tuned for:
| https://news.ycombinator.com/item?id=11108738
| Syonyk wrote:
| "We kill people based on metadata." ~Michael Hayden, former NSA
| and CIA director
|
| (https://www.justsecurity.org/10318/video-clip-director-
| nsa-c... if you're curious as to the source and context)
| renewiltord wrote:
| Thank you for this. Skipped the article.
___________________________________________________________________
(page generated 2021-04-14 23:02 UTC)