WhatsApp Web has privacy holes that could expose user photos

WhatsApp mobile app privacyWhatsApp has just rolled out a new service called WhatsApp Web that allows users to sync the messaging app between their mobile devices and desktop, but the new web client has a couple of privacy pitfalls that show it’s not really ready for its close-up.

The problems with the web client, which were reported to us by Indrajeet Bhuyan, a 17-year-old security blogger, undermine privacy settings that work just fine on the WhatsApp mobile app.

According to Bhuyan, in some situations users of WhatsApp Web can see photos they’re not supposed to view and which they wouldn’t see on the mobile app.

In the WhatsApp mobile app, you can delete a photo from your device after sending it and the recipient will see only a blurred out version of the photo.

But Bhuyan reported that a photo sent from his mobile device and then deleted was still visible without the blurring in the web client.

As WhatsApp noted in a 21 January 2015 blog post announcing the new service, WhatsApp Web “mirrors conversations and messages from your mobile device,” and all messages “live on your phone.”

But since photos deleted from your phone are still showing up in the web client, we can infer that the mobile and web apps are not syncing properly.

The second problem, says Bhuyan, is that your profile photo may remain visible on WhatsApp Web even after you’ve used the feature in the mobile app to restrict your photo to contacts only.

Ironically, this seems to be the reverse of various mobile-versus-web problems we’ve written about before, where it was the mobile version that fell short of the security offered by its web-based equivalent.

Both of these bugs seem like they could have or should have been caught before WhatsApp Web was released – as though WhatsApp rushed this product out the door without enough testing.

A few other issues with WhatsApp Web make me think it wasn’t quite ready and could have waited: so far the web client only works in Chrome, and it isn’t available yet for users of the iOS mobile app (due to “Apple platform limitations,” WhatsApp says).

WhatsApp, which has more than 500 million users worldwide and was purchased by Facebook in 2014 for a mind-boggling $19 billion, has run afoul of regulators and privacy advocates for its past sloppy behavior.

We applauded WhatsApp when it rolled out end-to-end encryption to protect users’ private messages.

But this latest privacy bungle has me, in the shorthand of chat initialisms, SMH (translation – shaking my head).


Image of WhatsApp on Android courtesy of Twin Design / Shutterstock.com.