WhatsSpy Public is an web-oriented application that tracks every move of whoever you like to follow. This application is setup as an Proof of Concept that Whatsapp is broken in terms of privacy. Once you’ve setup this application you can track users that you want to follow on Whatsapp. Once it’s running it keeps track of the following activities:
- Online/Offline status (even with privacy options set to “nobody”)
- Profile pictures
- Privacy settings
- Status messages
I made this project for you to realise how broken the privacy options actually are. It just started out as experimenting with Whatsapp to build an Bot, but I was stunned when I realised someone could abuse this “online” feauture of Whatsapp to track anyone. I could just say this in like a blog article (like I tried but got marked as spam) that the privacy options are broken, but you wouldnt realise the impact it actually has.
- Secondary Whatsapp account (phonenumber that doesn’t use Whatsapp)
- Rooted Android phone OR Jailbroken iPhone OR PHP knowledge
- Server/RPi that runs 24/7
- Nginx or Apache with PHP with PDO (php5-pgsql installed) (you can’t host on simple webhoster, you need bash)
WhatsSpy Public requires an secondary Whatsapp account
. Once the tracker is started, you will not be able to recieve any messages over Whatsapp for this phonenumber. You can either try to register an non-Whatsapp used phonenumber with for example this script
or just buy an 5 euro SIM Card and use this phonenumber for the tracker.
For the tracker to work you need an secret which is retrieved from either your Phone or the register script mentioned above. In case of phone registration you need an jailbroken iPhone or rooted Android device in order to retrieve the secret.
- Jailbroken iPhone users: You can retrieve using this script.
- Rooted Android phones can use the following APK to retrieve the secret.
In order to retrieve the scecret you need to follow these steps:
- Insert your (new) secondary SIM card in your phone and boot it up.
- Re-install Whatsapp on your phone and activate it using the new phonenumber.
- Use either the APK (Android) or the script (iPhone) to retrieve the WhatsApp secret. Write this secret down, which is required later.
- Insert your normal SIM card and re-install WhatsApp for normal use.