A privacy bug in WhatsApp allows strangers to view users’ profile pictures, even if they have been set to ‘contacts only’, a security researcher has found.
The flaw was discovered by 17-year-old Indrajeet Bhuyan, who showed in a video that the problem lies with the latest web version of the popular messaging platform.
The researcher also claimed that if a user sends a photo which is subsequently deleted, it’s not blurred out, as happens on the mobile version.
This would suggest the two are not properly synced yet.
Security expert Graham Cluley urged WhatsApp to address the issue as soon as possible.
“Sure, it’s not the most serious privacy breach that has ever occurred, but that’s missing the point. The fact of the matter is that WhatsApp users chose to keep their profile photos private, and their expectation is that WhatsApp will honour their choices and only allow their photos to be viewable by those who the user has approved,” he wrote in a blog post.
“Let’s hope they are treating security and privacy as a high priority throughout the WhatsApp service, and fix this and any other remaining flaws in the web version of WhatsApp as soon as possible.”
Bhuyan is no stranger to the popular messaging platform. In December he apparently revealed a vulnerability which could allow attackers to remotely crash the Android version of the app by sending a 2KB message.
WhatsApp was bought by Facebook – which has previously been accused of failing to protect the privacy of its customers – for $19bn in February last year.
The platform is making strides towards greater security for its users, having announced last year that it would be rolling out strong encryption.
That has drawn criticism from various quarters including GCHQ boss Robert Hannigan and most notably prime minister David Cameron, who claimed that he would force providers to give access to users’ messages to the security services if requested.