WhatsSpy Public is a proof-of-concept web-based tool that allows an attacker to track every move of any WhatsApp user, even if the user has locked down their WhatsApp privacy settings.

WhatsSpy Public, created by Maikel Zweerink, could allow an attacker to access a WhatsApp user's profile picture, privacy settings, status messages and online or offline status…even if the user has set the WhatsApp privacy options to "nobody," which in theory is supposed to mean "your last seen, profile photo and/or status will not be available to anyone."

Zweerink said the WhatsApp privacy menu allows a user to "edit your 'last seen', 'profile picture' and 'status' privacy options. You may think now that you've set all options to 'nobody' you are privacy-wise safe. But nevertheless I can still track your moves on WhatsApp."

The WhatsSpy dashboard can display user information, such as a timeline. The app can also cross analyze the timelines of two users.

If while Alice is looking at her previous conversations with Bob, and Bob comes online, then Alice sees a notification that says Bob's current status is online. According to Zweerink, "You may disable 'last seen,' 'profile picture' and 'status' but this won't disable this 'online' message from showing up. Obviously a lot of people won't know this still happens" but it represents "pretty broken privacy settings. Due to this feature, WhatsSpy Public can track virtually anyone because anyone can listen for these events."

He added:

The privacy options in Whatsapp act like they give you full control over your status in Whatsapp meanwhile they only affect a very limited scope. Sure, the last seen, profile picture and status options do work, but probably not as the user intended it to. The ability for a complete stranger to follow your in-app status is pretty creepy and might be abused already. This is not a 'hack' or 'exploit' but it's broken by design.

Zweerink created WhatsSpy Public "for you to realize how broken the privacy options actually are." He was originally experimenting with WhatsApp to build a bot, but then he was "stunned" to discover that someone could abuse the WhatsApp 'online' feature to track anyone.

He includes instructions for setting up WhatsSpy Public on Raspberry Pi, a server or VPS. It requires a secondary WhatsApp account, a jailbroken iPhone or a rooted Android or PHP knowledge, Nginx or Apache with PHP, PostgreSQL and a server. He suggested using Raspberry Pi as a cheaper alternative for running a server 24/7.

Zweerink says WhatsApp privacy settings are nothing but an illusion. It's not the first time WhatsApp security or privacy has been called a joke, and it's unlikely to be the last. Nevertheless, last April WhatsApp claimed to have half a billion monthly active members who send "700 million photos and 100 million videos every single day." The service kept growing by about 25 million users per month; in January 2015, WhatsApp said it had grown to 700 million monthly active users who send over 30 billion messages every day.