17-year-old security researcher Indrajeet Bhuyan has discovered a privacy hole in WhatsApp that could expose your account’s profile photo to complete strangers, even if you have set it to be viewable to Contacts Only.
The privacy flaw appears to have been introduced by WhatsApp’s newly-introduced web interface at web.whatsapp.com, which allows you to chat via your browser with your WhatsApp contacts.
Unfortunately, at least at the moment, it seems that the web version of WhatsApp is not obeying all of the privacy settings used by the immensely-popular mobile app.
Bhuyan shared with Softpedia a video demonstrating the issue:
Sure, it’s not the most serious privacy breach that has ever occurred, but that’s missing the point. The fact of the matter is that WhatsApp users chose to keep their profile photos private, and their expectation is that WhatsApp will honour their choices and only allow their photos to be viewable by those who the user has approved.
Additionally, Bhuyan also uncovered another problem in relation to WhatsApp’s new web version, discovering that sent images that are subsequently deleted are not blurred (as they are for mobile WhatsApp users) but fully viewable via the web client.
The speculation is that the web version of WhatsApp is doing a poor job of keeping in sync with its mobile counterparts in this regard.
It appears that Bhuyan has a colourful history of finding holes in WhatsApp, having previously discovered a way to crash WhatsApp on users’ phones remotely by sending a specially-crafted 2KB message.
Recently, WhatsApp introduced end-to-end encryption to better secure users’ message (much to the annoyance of David Cameron and his cronies who would like the authorities to have a backdoor to spy on what people are saying to eachother).
Let’s hope they are treating security and privacy as a high priority throughout the WhatsApp service, and fix this and any other remaining flaws in the web version of WhatsApp as soon as possible.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “WhatsApp privacy hole exposes users’ private profile photos”
"Sure, it’s not the most serious privacy breach that has ever occurred, but that’s missing the point."
Indeed. Privacy is drastically underrated. All one needs to do though, is tell those who suggest it isn't all that important (though I imagine some have thick enough skulls to still not work it out) that they're hiding things including their intentions. If that is not the case, prove it: give me your banking credentials, your passwords and your house keys. Sure you're not hiding anything?
"The speculation is that the web version of WhatsApp is doing a poor job of keeping in sync with its mobile counterparts in this regard."
s/.*/The speculation is that WhatsApp is doing a poor job of everything./
(Of course… you could change things up a bit but the idea is the same, I think; Maybe I'm not being fair but that's life, isn't it ? I'll be honest though: I can't have a fair judgement here because I don't use it (thankfully)).
"It appears that Bhuyan has a colourful history of finding holes in WhatsApp, having previously discovered a way to crash WhatsApp on users’ phones remotely by sending a specially-crafted 2KB message."
Well that is amusing indeed. Reminds me of many old exploits but for computers rather than phones. See above, too. But something I never thought of, that is also interesting/amusing/etc.: kids these days have a different target (many more than us), too. I mean, while I had a lot of fun abusing COCOTs (customer owned coin operated telephones; and not toll fraud! things like: making it call itself and then handing it to someone near by, telling them the call is for them), there is now mobile phones (well there were then, too, but much more wide-spread and almost all but expected) and all the social media services (via phones, computers, etc.). In general everything being connected increases the risk (that part isn't amusing) but since kids (generally) love these things, it means they have that chance of discovering flaws too, possibly without really realising what they're doing (as in: they don't realise how similar it might be to older people in to security).
Encryption: rather than remind everyone the real (in this case Oxford is wrong) definition of politician, I'll just state that the idea of privacy (as above) applies with encryption of personal information (whatever that information is!), too.