Teen whiz exposes WhatsApp profile pic privacy blunder bug
That teddy bear icon was for friends' eyes only
A privacy hole in WhatsApp allowed anyone to view someone else's profile photo – even if a user had configured the mobile messenger app to only show their pic to their contacts.
The privacy slip-up, which came with the debut of WhatsApp’s newly-introduced web interface at web.whatsapp.com, was discovered by 17-year-old security researcher Indrajeet Bhuyan. The service was designed to allow users to chat with WhatsApp contacts through a browser, potentially on a PC or laptop.
Privacy settings applied on the mobile app were apparently not carried over onto the browser-based version of the technology, launched just days ago and only available through Google's Chrome browser. On the smartphone side, you can only use the functionality on Android, BlackBerry and Windows Mobile since there's no iOS version at this nascent stage.
There's no suggestion that messages themselves were exposed. Only profile pictures were viewable to world+dog.
A second issue, also discovered by the enterprisingly precocious Bhuyan, means that deleted photos are still viewable through the web client even though they appeared as blurred if deleted when accessed though mobile versions of the software. In both case you'd need to be logged in to see pictures in the trash, blurred or otherwise. This issue apparently stems from glitches in syncing functionality.
It's unclear if and when the web version of WhatsApp will be updated to iron out these security glitches.
WhatsApp recently introduced end-to-end encryption to better secure users’ messages, much to the chagrin of UK politicians such as David Cameron.
Bhuyan, who had previously discovered a way to crash WhatsApp on users’ phones simply by sending a specially crafted message, has put together videos illustrating the WhatsApp web photo privacy bug (here) and photo synch bug (here).
Security veteran Graham Cluley said even though no sensitive data had actually been exposed, the teenager was right to call WhatsApp out on the latest issues he's managed to uncover.
"Sure, it’s not the most serious privacy breach that has ever occurred, but that’s missing the point," Cluley explained in a blog post. "The fact of the matter is that WhatsApp users chose to keep their profile photos private, and their expectation is that WhatsApp will honour their choices and only allow their photos to be viewable by those who the user has approved." ®
Sponsored: Becoming a Pragmatic Security Leader