The privacy flaw appears to have been introduced by WhatsApp’s newly-introduced web interface at web.whatsapp.com, which allows you to chat via your browser with your WhatsApp contacts.
Unfortunately, at least at the moment, it seems that the web version of WhatsApp is not obeying all of the privacy settings used by the immensely-popular mobile app.
Sure, it’s not the most serious privacy breach that has ever occurred, but that’s missing the point. The fact of the matter is that WhatsApp users chose to keep their profile photos private, and their expectation is that WhatsApp will honour their choices and only allow their photos to be viewable by those who the user has approved.
Additionally, Bhuyan also uncovered another problem in relation to WhatsApp’s new web version, discovering that sent images that are subsequently deleted are not blurred (as they are for mobile WhatsApp users) but fully viewable via the web client.
The speculation is that the web version of WhatsApp is doing a poor job of keeping in sync with its mobile counterparts in this regard.
It appears that Bhuyan has a colourful history of finding holes in WhatsApp, having previously discovered a way to crash WhatsApp on users’ phones remotely by sending a specially-crafted 2KB message.
Recently, WhatsApp introduced end-to-end encryption to better secure users’ message (much to the annoyance of David Cameron and his cronies who would like the authorities to have a backdoor to spy on what people are saying to eachother).
Let’s hope they are treating security and privacy as a high priority throughout the WhatsApp service, and fix this and any other remaining flaws in the web version of WhatsApp as soon as possible.