whatsapp delete for everyone
Mistakenly sent a picture to someone via WhatsApp that you shouldn't have?

Well, we've all been there, but what's more unfortunate is that the 'Delete for Everyone' feature WhatsApp introduced two years ago contains an unpatched privacy bug, leaving its users with false sense of privacy.

WhatsApp and its rival Telegram messenger offer "Delete for Everyone," a potentially life-saving feature on which millions of people today rely to escape the awkwardness of mistakenly sending messages / pictures / videos to the wrong person.

As the name indicates, the 'Delete for Everyone' feature is intended to unsend mistakenly sent inappropriate messages—including text, photos and videos—from the recipient's phone, or from the phones of all members of a group.

In the case of WhatsApp, the feature is only available within 1 hour, 8 minutes, and 16 seconds of sending a message you want to delete, which is fine and a fair use case.

However, it turns out that WhatsApp 'Delete for Everyone' feature doesn't delete media files sent to iPhone users (with default settings) as it does from the Android devices, leaving sent files saved on the recipient's iOS device even if the messenger chat screen displays you, "This message has been deleted."

According to Shitesh Sachan, an application security consultant, who found this privacy issue and shared his findings exclusively with The Hacker News, the feature for WhatsApp for iOS has not been designed to delete received media files saved in the iPhone's Camera Roll.

On the other hand, if you use 'Delete for Everyone' against an Android user, WhatsApp will delete the sent media files from the recipient device's gallery as well.



The incomplete functionality concerns because WhatsApp by default automatically saves all images/videos you receive via WhatsApp to your iPhone's Camera Roll or Android's Media Gallery, which otherwise can be turned OFF from the app's settings, but very few people either knows or care about it.

There's another angle to the story that Apple policies don't allow the apps to make any changes to files saved on the users' Camera Roll without their consent, which is a good thing. But if that's the case, WhatsApp should not even falsely advertise users 'Delete for Everyone' option unless their recipients' don't manually change settings to do not save attachments to the device external storage.
Web Application Firewall

Earlier this week, a similar privacy flaw was disclosed in the "Delete for Everyone" feature of the Telegram messenger, which the company patched immediately to keep the feature useful in situations for which it has primarily been designed.

When Sachan reported this issue to WhatsApp, the company refused to address the issue or extend the feature, saying:

"The functionality provided via "Delete for Everyone" is intended to delete the message and there is no guarantee that the media (or message) will be permanently deleted—the implementation focuses around the message presence in WhatsApp."

WhatsApp Security team also argued that the "recipients may see your message before it's deleted or if deletion wasn't successful," but as far as we understand the feature was not even intended to save users from out-of-the-hand scenarios where recipients move or save the media file manually or screenshot the chat.

Though WhatsApp says "there is no guarantee a message or the attachments will be deleted," the company hinted that it might make changes to this functionality and its implementation in the future.

In a statement shared with The Hacker News, a WhatsApp spokesperson said:

"This feature is working properly, and using the 'delete for everyone' feature in time will result in media being removed from the WhatsApp chat thread. We provide simple options to help iPhone users manage the media they receive from friends and family, per the best practices established by operating systems. If a user chooses to save images to their camera roll they are stored out of reach of WhatsApp's 'delete for everyone feature."

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.