WhatsApp privacy hole exposes users’ private profile photos

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

WhatsApp17-year-old security researcher Indrajeet Bhuyan has discovered a privacy hole in WhatsApp that could expose your account’s profile photo to complete strangers, even if you have set it to be viewable to Contacts Only.

The privacy flaw appears to have been introduced by WhatsApp’s newly-introduced web interface at web.whatsapp.com, which allows you to chat via your browser with your WhatsApp contacts.

Unfortunately, at least at the moment, it seems that the web version of WhatsApp is not obeying all of the privacy settings used by the immensely-popular mobile app.

Bhuyan shared with Softpedia a video demonstrating the issue:

Sign up to our free newsletter.
Security news, advice, and tips.
WhatsApp Web photo privacy bug

Sure, it’s not the most serious privacy breach that has ever occurred, but that’s missing the point. The fact of the matter is that WhatsApp users chose to keep their profile photos private, and their expectation is that WhatsApp will honour their choices and only allow their photos to be viewable by those who the user has approved.

Additionally, Bhuyan also uncovered another problem in relation to WhatsApp’s new web version, discovering that sent images that are subsequently deleted are not blurred (as they are for mobile WhatsApp users) but fully viewable via the web client.

The speculation is that the web version of WhatsApp is doing a poor job of keeping in sync with its mobile counterparts in this regard.

It appears that Bhuyan has a colourful history of finding holes in WhatsApp, having previously discovered a way to crash WhatsApp on users’ phones remotely by sending a specially-crafted 2KB message.

Recently, WhatsApp introduced end-to-end encryption to better secure users’ message (much to the annoyance of David Cameron and his cronies who would like the authorities to have a backdoor to spy on what people are saying to eachother).

Let’s hope they are treating security and privacy as a high priority throughout the WhatsApp service, and fix this and any other remaining flaws in the web version of WhatsApp as soon as possible.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

One comment on “WhatsApp privacy hole exposes users’ private profile photos”

  1. Coyote

    "Sure, it’s not the most serious privacy breach that has ever occurred, but that’s missing the point."
    Indeed. Privacy is drastically underrated. All one needs to do though, is tell those who suggest it isn't all that important (though I imagine some have thick enough skulls to still not work it out) that they're hiding things including their intentions. If that is not the case, prove it: give me your banking credentials, your passwords and your house keys. Sure you're not hiding anything?

    "The speculation is that the web version of WhatsApp is doing a poor job of keeping in sync with its mobile counterparts in this regard."
    s/.*/The speculation is that WhatsApp is doing a poor job of everything./

    (Of course… you could change things up a bit but the idea is the same, I think; Maybe I'm not being fair but that's life, isn't it ? I'll be honest though: I can't have a fair judgement here because I don't use it (thankfully)).

    "It appears that Bhuyan has a colourful history of finding holes in WhatsApp, having previously discovered a way to crash WhatsApp on users’ phones remotely by sending a specially-crafted 2KB message."
    Well that is amusing indeed. Reminds me of many old exploits but for computers rather than phones. See above, too. But something I never thought of, that is also interesting/amusing/etc.: kids these days have a different target (many more than us), too. I mean, while I had a lot of fun abusing COCOTs (customer owned coin operated telephones; and not toll fraud! things like: making it call itself and then handing it to someone near by, telling them the call is for them), there is now mobile phones (well there were then, too, but much more wide-spread and almost all but expected) and all the social media services (via phones, computers, etc.). In general everything being connected increases the risk (that part isn't amusing) but since kids (generally) love these things, it means they have that chance of discovering flaws too, possibly without really realising what they're doing (as in: they don't realise how similar it might be to older people in to security).

    Encryption: rather than remind everyone the real (in this case Oxford is wrong) definition of politician, I'll just state that the idea of privacy (as above) applies with encryption of personal information (whatever that information is!), too.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.