Due to a security problem, users’ profile photos can be seen by anyone even if they had been set to private.
17-year-old security researcher Indrajeet Bhuyan discovered the problem, which he says results from the phone app not properly syncing with the recently released web interface. According to Andrew Griffin of The Independent, Bhuyan has previously discovered other issues with WhatsApp, including working out how to make the app crash on Android devices by sending a short message to users.
A minor privacy issue
In this instance the issue concerns the privacy of profile pictures. Users can set their privacy settings so that their profile photo cannot be viewed by anyone who is not on their contact list, but the bug allows people to see any profile photo they like.
The new web application also displays photos that the user has previously deleted. The mobile app blurs these photos so that they are no longer visible, but that is not the case on the web version.
“Sure, it’s not the most serious privacy breach that has ever occurred, but that’s missing the point,” wrote security expert Graham Cluley on his blog. “The fact of the matter is that WhatsApp users chose to keep their profile photos private, and their expectation is that WhatsApp will honour their choices and only allow their photos to be viewable by those who the user has approved.”
WhatsApp: Strong security focus
WhatsApp will surely move to fix the bug in order to maintain its good reputation on security. The company recently introduced end-to-end encryption to ensure security and privacy.
Since its release on January 21 the response to the the web client has been mixed. Some users were happy to finally be able to use the app from their PC, but others were left disappointed. The most common complaints arose from its limited functionality and compatibility.
Fixing this minor bug is a small task compared to improving the web client, which is surely a more important issue.