The not precisely a vulnerability resides in the two of features that are harmless themselves: the last seen status, and the online status. This information can be logged and analyzed to keep an eye on your activity.
If we talk about WhatsApp’s privacy settings, it’s possible to limit the visibility of your last seen status to Everyone, your friends, no one. But there is no way you can hide the online status.
Rob Heaton, a software engineer, has demonstrated this strange thing by creating a Google Chrome extension which logs the online activity of his contacts through the WhatsApp web app.
Taking the so-called surveillance to the next level, the data belonging to a person can be cross-referenced to that of another person, and it can be known if they two are talking to each other.
Let’s say, a person comes online to send a message, and another person shows up at the same moment. If this continues for a while, it can be inferred the two are in a conversation.
If the data monitoring is done at a larger scale, the consequences might give you chills down your spine. It can be used to satisfy the hunger of advertising agencies who drool over your information even while they’re asleep. In a hypothetical scenario, you can even create a company that runs a service to return people’s WhatsApp information against their phone number, Heaton says.
You can read Heaton’s blog post to get a bigger picture.