Feb 17, 2015 · 1 minute

WhatsApp's problems continue to mount.

Naked Security reports that a new tool allows anyone to see if a WhatsApp user is online regardless of whether they're friends or if the person doing the snooping even uses WhatsApp. The freely available utility has been appropriately dubbed the WhatsApp Spy Public tool.

Using the tool also allows someone to view a WhatsApp user's public profile picture, their status messages, and their privacy settings. The pictures and status messages can be viewed only if they are set to "public," but as Naked Security notes, that's the default profile setting.

The problem isn't so much that all this information is publicly available. It's that WhatsApp was made aware of the issue in September 2014 and still hasn't bother to fix it even as the company works to dispel the perception that it doesn't care about user privacy or security.

It doesn't help that this report follows the revelation that WhatsApp Web, the long-awaited desktop version of the messaging service that debuted in January, undermines the privacy features built into WhatsApp's mobile applications. As I reported earlier this month:

[T]he Web client doesn’t seem to replace [a deleted] photo with a blurred placeholder — the original image is still available, ostensibly because the site mirrors the original image but doesn’t bother to check to see if it was later deleted via the mobile app.

The Web client could also display a user’s profile picture to all WhatsApp users even if they previously said they wanted to restrict the image to their contacts. WhatsApp seemed to be approaching the right track when it tapped Open Whisper Systems to add end-to-end encryption to its Android application. But now it's starting to look like the company simply made one right move amid a series of troublesome mistakes.

[illustration by Brad Jonas]