Surveillance with WhatsApp

- Reading time: 5 minutes -

Can and may WhatsApp be used for surveillance purposes?

Yes! and No!

It is very easy to spy on friends and/or strangers using WhatsApp, as there has long been a gaping security hole that has gone unnoticed:

Users of the messenger could be monitored with the help of a simple trick. Dutchman Loran Kloeze and US software developer Robert Heaton explain on their website how easy it is to monitor other users in the messenger WhatApp. The weak point is the online status, which can be used to retrieve specific information. All that is needed for monitoring is the victim’s telephone number.

The online status is systematically monitored by a Chrome extension while Web-WhatsApp is running. Regular queries can be used to obtain an activity log, which in turn allows conclusions to be drawn about the user’s daily routine - for example

  • when he works,
  • goes to bed, or
  • whether they slept through the night.

Even “hiding” the online status does not help the user in this case of spying. By matching two telephone numbers, it is also possible to find out whether

  • two people communicate with each other regularly and
  • at what time they do so.

At first glance, the information spied on seems unspectacular and is unlikely to be a major problem for most users. Nevertheless, the security gap allows detailed user logs to be created, for which advertisers or other interested parties would pay a lot of money. In the worst case scenario, the data collected could be misused for criminal purposes.

** WhatsApp statement:**

In a nutshell: WhatsApp is aware of the vulnerability, but does not see it as a security problem.

Demonstration / Experiment

Here are the explanations of how it works. The prerequisite for both experiments is that “WhatsApp Web “ is started in the browser.

1. Chrome extension from Loran Kloeze

With this Chrome extension, many consecutive phone numbers are displayed in a freely selectable area.

Source: (external)

2. Robert Heaton and his “4-line code”

// NOTE - Requires jQuery
setInterval(function() {
  var lastSeen = $('.pane-header .chat-body .emojitext').last().text();
  console.log(Math.floor( / 1000) + ", " + lastSeen);
}, 1000);

… which only needs to be changed from “lastSeen” to retrieving the “online status”.

Source: (external)

3. OnlineStatusMonitor

The University of Erlangen-Nuremberg also demonstrates the possibilities of monitoring with its project “Onlinestatusmonitor” (external).

Ethical considerations (translated from the contents of the website)
To protect the privacy of each randomly selected user, all statistics described in this section are based on anonymized data. Although we have tracked the exact online times of each user over several months, we have decided not to publish this data, but only to provide average cumulative statistics. Furthermore, we have taken some additional measures, such as blurring profile pictures and masking individual phone numbers. The data set is used for research purposes only and is not shared. These measures allow us to demonstrate the practical relevance and impact of permanently monitoring Messenger users while ensuring that the privacy of each randomly selected Messenger user is maintained.

4. Scientific papers

University of Ulm (2014) (external)

Scientific study (2020)

A collaborative study by TU Darmstadt, TU Graz and the University of Würzburg shows that current methods for mobile contact tracing pose a massive threat to users’ privacy:

Quote: Our study of three popular mobile messengers (WhatsApp, Signal and Telegram) shows that, contrary to all expectations, so-called crawling attacks are possible on a large scale. Using an accurate database of mobile number prefixes and very few resources, we were able to retrieve 10% of all US mobile numbers for WhatsApp and 100% for Signal. Regarding Telegram, it turns out that its API reveals a lot of sensitive information, even about phone numbers that are not registered with the service.

Source: (external)


The information and the script are for demonstration purposes only and may only be used for monitoring purposes with the consent of the persons concerned!


  • The script is not intended for spying on / denouncing people, but should make clear the simple realization and the potential danger.

  • Use at your own risk.

  • Requests to change/adapt the script will not be answered.

Everything that is technically possible is done - WhatsApp spying is no exception. But the “misconduct” of centralized services (Google/WhatsApp/Facebook, …) should not be used as a justification for your own “spying”.

Spying on the privacy of friends/acquaintances/strangers is immoral, impolite and possibly even prohibited/punishable!



Further information

Supplementary information on the topic is provided here:

  1. WhatsApp and permissions under Android
  2. System comparison of WhatsApp with other (free) systems
  3. Ban on the use of WhatsApp in schools and companies