Last week, the most popular mobile messaging application WhatsApp finally arrived on the web — dubbed WhatsApp Web, but unfortunately it needs some improvements in its web version.
An independent 17-year-old security researcher Indrajeet Bhuyan reported two security holes in the WhatsApp web client that in some way exposes its users' privacy. Bhuyan called the first hole, WhatsApp photo privacy bug and the other WhatsApp Web Photo Sync Bug.
Bhuyan is the same security researcher who reported us the vulnerability in the widely popular mobile messaging app which allowed anyone to remotely crash WhatsApp by sending a specially crafted message of just 2kb in size, resulting in the loss of conversations.
Whatsapp Photo Privacy Bug
According to him, the new version of WhatsApp Web allows us to view a user's profile image even if we are not on the contact list of that user. Even if the user has set the profile image privacy setting to "Contacts Only," the profile picture can be viewed by out of contacts people as well.
Basically, if we set the profile image privacy to Contacts Only, only the people in our contact list are able to view our profile picture, and nobody else. But, this is not in the case of WhatsApp Web. You can watch how this works in the video demonstration below:
WhatsApp Web Photo Sync Bug
The second security hole points out the WhatsApp Web Photo Syncing functionality. Bhuyan noticed that whenever a user deletes a photo that was sent via the mobile version of WhatsApp application, the photo appears blurred and can't be viewed.
However, the same photo, which has already been deleted by the user from mobile WhatsApp version, can be accessible by Whatsapp Web as the photo does not get deleted from its web client, revealing the fact that mobile and web clients of the service are not synced properly. You can also watch the video demonstration on this as well:
This is no surprise, as WhatsApp Web introduced just a couple of days before and these small security and implementation flaws could be expected at this time, as well as some other bugs could also be revealed in the near future.
However, the company will surely fix the issues and will definitely make its users' messaging experience secure. As partnered with Open Whisper Systems, WhatsApp recently made end-to-end encryption a default feature on Android platform, stepping a way forward for the online privacy of its users around the world.