A security problem in WhatsApp means that anyone can see users’ profile photos, even if they have been set to be viewable to friends only, according to security researchers.
The problem, which was found by 17-year-old security researcher Indrajeet Bhuyan, seems to be a result of the phone app not being properly synced with the new web interface.
Users are able to set WhatsApp so that it only shares their profile photo with people they have as contacts. But the bug allows people to get around that and see the profile photos of strangers.
The web app also allows users to see photos that have since been deleted. On the phone app, those photos get blurred out — but on the web they seem to remain clearly forever.
“Sure, it’s not the most serious privacy breach that has ever occurred, but that’s missing the point,” wrote security expert Graham Cluley in a blog post on the bug. “The fact of the matter is that WhatsApp users chose to keep their profile photos private, and their expectation is that WhatsApp will honour their choices and only allow their photos to be viewable by those who the user has approved.”
WhatsApp has been committed to ensuring security and privacy for its users, recently introducing end-to-end encryption.
The apps web client was introduced on January 21. While many were excited to finally be able to read and respond to messages from their PC, it also disappointed other users with its limited compatibility and functions.
Bhuyan has found holes in WhatsApp before, previously finding a way of forcing the app to crash on Android phones by sending a small message to users.