WhatsApp Web has vulnerability that could expose user photos

Uploading Photos on WhatsApp Web Risky as Privacy Lapses Discovered:

WhatsApp Web:

WhatsApp Web is a new service launched by WhatsApp. It allows users to sync their mobile and desktop devices with the messaging app.

In its blogpost dated 21st January, 2015, WhatsApp announced the new web client and noted that WhatsApp Web “mirrors conversations and messages from your mobile device live on your phone.”

The messenger app has around 500million+ users worldwide. In 2014, it was bought by Facebook for a whopping $19billion.


Risk Factor(s) Identified:

Although the app has run afoul of privacy activists and regulators for its sloppy behavior in the past but when WhatsApp introduced end-to-end encryption for securing user’s private chats the act was lauded by all.

However, this new web client contains some privacy pitfalls which mean it may not be the right time to launch it.

A seventeen year-old security blogger, Indrajeet Bhuyan, reported about the problems associated with the web client.

These lapses undermine the privacy settings of the web app however, these settings work just fine on the mobile app.

Bhuyan states that it is possible that users of WhatsApp Web view the photos which otherwise they are not allowed to view or are not visible to them on the mobile app.

When you send a photo through WhatsApp mobile app and delete it afterwards from your device, the recipient will be able to view just photo’s blurred out version.

However, Bhuyan states that in WhatsApp’s web client, the sent photo was still visible without any blurring after it was deleted.

This means the new web client of WhatsApp is unable to properly sync with the mobile app.

Another problem identified by Bhuyan is that even after you restrict your profile photo visibility to contacts only it remains visible on WhatsAp Web.

Usually, it is the mobile version of an app that finds it difficult to sync with the desktop app properly. However, in this case it is the reverse since this time the web client is unable to sync with the mobile-based app.

Was the WhatsApp Web App ready for Release—May be it Wasn’t?

Apparently, these bugs could have been or rather should have been easily fixed before the launching of WhatsApp web client. The presence of these bugs strengthens the fact that WhatsApp probably rushed the app and it was not tested adequately before its final release.

Watch the videos below for better understanding about this vulnerability:

Another aspect that also makes it apparent that WhatsApp Web app was not really ready for its release is that the web client is just compatible with Chrome and users of iOS mobile app cannot benefit from it as yet. This according to WhatsApp happened due to “Apple platform limitations.”

Follow the researcher on Twitter by clicking here.

Related Posts