Secret Surveillance: How Abusers Are Exploiting WhatsApp’s Linked Devices Feature

Simon Lewis

By Simon Lewis

Published:

Sarah* (not her real name), a mother of two, was going through a difficult separation. Her soon-to-be ex-husband Mark* had always been controlling, but as their marriage crumbled, his behavior escalated.

Without her knowledge, Sarah’s husband had found a new way to keep tabs on her: WhatsApp’s Linked Devices feature.

One afternoon, while Sarah was busy with the kids, Mark used her phone to scan a QR code on his laptop. This simple act granted him access to Sarah’s entire WhatsApp history – her conversations with friends, family, and even her divorce lawyer.

For weeks, Mark monitored Sarah’s every message, fueling his anger and resentment. Sarah had no idea that her most private conversations were being exposed.

Sarah’s story, unfortunately, isn’t unique. In recent months, Certo has received multiple reports of this feature being exploited for secret spying, particularly in situations of domestic tech abuse and coercive control.

In this article, we delve into the details of how this WhatsApp feature is being exploited, the warning signs to watch for, and crucial steps you can take to protect yourself.

WhatsApp’s Linked Devices: A Double-Edged Sword

WhatsApp’s Linked Devices is a feature that allows users to access their WhatsApp account on up to four additional devices such as computers, tablets, or other phones.

Once linked, these devices can send and receive messages independently, offering convenience for users who want to stay connected across multiple platforms.

Although this feature is designed for convenience, it can become a threat in the hands of hackers and cyberstalkers.

Here’s how it works:

  1. The hacker visits https://web.whatsapp.com/ on their own device. A QR code is displayed on screen.
  2. They get hold of the victim’s phone, open WhatsApp, and scan the QR code displayed on the hacker’s device.
  3. The hacker can now view all of the victim’s WhatsApp messages, past and present, on their own device and even send messages on the victim’s behalf.

Fig 1. Linking a WhatsApp account in a web browser.

Once this connection is established, the hacker no longer needs access to the victim’s phone, allowing them to spy on messages from anywhere in the world.

This method is particularly concerning because it does not require any spyware or malicious apps to be installed on the victim’s device. This makes it compatible with almost any smartphone with WhatsApp installed and means the perpetrator does not need any special technical skills.

How Does Whatsapp Currently Prevent Abuse of Linked Devices

WhatsApp does have a notification system in place to alert users when their account is accessed on another device. It will send a push notification (see screenshot below) at a random time shortly after a new Linked Device is added.

We tested 10 different devices, and this notification always appeared within 5 minutes and 1.5 hours of setting up a linked device.

It’s important to note however that his notification only appears once and can be easily dismissed by someone with physical access to the phone.

Therefore, it’s entirely possible that the phone’s owner may never see this notification, leaving them unaware that someone has been secretly accessing their private messages.

Fig 2. Notification of a new WhatsApp linked device.

What WhatsApp Could Do Better

While Linked Devices is a legitimate feature, it can be abused. Here’s what we think WhatsApp could be doing better to protect its users:

Daily notifications: Send daily notifications (at random times) to remind users that their account is linked to another device.

In-app warnings: Display a persistent message within the app to inform users that their account is linked.

How to Protect Yourself

The most concerning aspect of this vulnerability is that there are no obvious signs that your WhatsApp account is being monitored. Beyond the initial notification, there are no additional warnings within the app itself to suggest that another device is linked to your account.

This means that if you miss this notification – or if it’s quickly dismissed by someone with access to your phone – the surveillance could continue unnoticed for an extended period. The person monitoring your messages could gain deep insights into your personal life, conversations, and relationships without your knowledge.

This covert nature of the vulnerability raises serious privacy concerns, particularly in situations involving potential stalking, harassment, or abuse. The ability to secretly monitor someone’s WhatsApp messages can be a powerful tool for manipulation and control.

The most reliable way to protect yourself is to review the “Linked Devices” section in WhatsApp settings. Here’s how:

➡️ iPhone:

  1. Open WhatsApp.
  2. Tap Settings (gear icon) in the bottom right corner.
  3. Tap Linked Devices.
  4. Review the list of linked devices. If you see any devices you don’t recognize, tap them and select Log Out.

Fig 3. Removing a linked device from iPhone.

➡️ Android:

  1. Open WhatsApp.
  2. Tap the three vertical dots in the top right corner (More options).
  3. Tap Linked devices.
  4. Review the list of linked devices. If you see any devices you don’t recognize, tap them and select Log Out.

Fig 4. Removing a linked device from Android.

Here are some other measures you can take:

🟢 Use a Strong PIN/biometrics: Secure your phone with a strong PIN, password, or biometric authentication (fingerprint or facial recognition) to prevent unauthorized access.

🟢 Check for additional Face IDs or fingerprints: An abuser with access to the victim’s phone could set up their biometric data on the device, providing another way to gain access and potentially cover their tracks. It’s therefore important to regularly review and remove any unrecognized biometric data.

🟢 Be mindful of who has access to your phone: Avoid leaving your phone unattended or unlocked in situations where someone could potentially access it without your knowledge.

🟢 Trust your gut: Victims of tech abuse often experience a sense of paranoia and self-doubt. It’s important to trust your instincts. If something feels off, it’s worth investigating further.

The Bottom Line

The misuse of WhatsApp’s Linked Devices is a stark reminder that even seemingly innocuous features can be exploited by abusers. By staying informed and vigilant, you can protect yourself and your privacy.

Remember, you are not alone. If you suspect you’re a victim of digital abuse, reach out to a trusted friend, family member, or support organization for help.