A software engineer named Robert Heaton has discovered a WhatsApp vulnerability that could allow a person to spy on another’s WhatsApp activity. While the exploit can’t be used to see the content of the messages, it could be used to identify when people are likely to be messaging each other, and when WhatsApp users are asleep.

The exploit can be achieved using an online computer and Chrome extension containing only four lines of JavaScript, and it works thanks to WhatsApp’s usage of its online status indicator. By tracking when a person is online over an extended period, you can make some pretty good guesses about the times that they go to bed, and by looking at the figures from two contacts, you could potentially work out when they are messaging each other.

What’s potentially even more worrying is that the vulnerability isn’t unique to WhatsApp, either: someone has previously done basically the same thing with Facebook.

While knowing that two people are communicating without knowing what’s being said may sound unalarming — tantamount to watching a couple talking over coffee through a sheet of glass, perhaps — there are some troubling implications. What if, for example, a person suspects that their partner is cheating on them with someone who they frequently message? What if they want to know when that person is usually in bed asleep, too?

Of course, I’m not suggesting that this nightmare scenario is destined to happen, and the seriousness of the situation is up for debate; theoretically, you could just sit on WhatsApp watching for when two people come online to start making some guesses without prolonged activity monitoring.

Regardless, Heaton has highlighted another way in WhatsApp’s billions of users offer up personal information simply by using the product — and how they’re doing so when WhatsApp could seemingly just allows users to turn off the Online status symbol to instantly quash it.