Multiple Vulneribilities found in Whatsapp Web



Few days back whatsapp released its web client which is called as WhatsappWeb and as soon as it was released everyone was curoious to know if there exist some kind of bug in it. Even i was curious to know . So i tried a few thing and i got two bugs on it. And to my surprise my findings went viral. It got covered in almost by all the popular newspaper, online news portal. Few of them are : International Business Times , The Hacker News , The Assam Tribune , Infosecurity Magazine , etc. Even the popular British security analyst Graham Cluley  shared his valuable opinions about my findings in his blog.

So here are the two bugs that i discovered in the new WhatsappWeb.

Whatsapp photo privacy bug

Whatsapp gives us the option to hide our profile picture from others. Whatsapp offers 3 options a. everyone b. contacts c. nobody. If we set privacy to contacts only then only the people who are in our contact list can view our profile picture. But The new version of WhatsApp Web allows us to view a user’s profile image even if we are not on the contact list of that user. Even if the user has set the profile image privacy setting to "Contacts Only," the profile picture can be viewed by out of contacts people as well.

Here is the video demonstration :




As  Graham Cluley said in his blog , it’s not the most serious privacy breach that has ever occurred. But the fact of the matter is that WhatsApp users chose to keep their profile photos private, and their expectation is that WhatsApp will honour their choices and only allow their photos to be viewable by those who the user has approved.

WhatsApp Web Photo Sync Bug

Two weeks back when whatsapp released its web client called whatsappWeb they said that all the messages will be synced. Means if we send a message from our phone it will appear on the whatsappweb too and if we send a message from whatsappweb the message will appear in our mobile too. Now if we delete a message from mobile then the chats get refreshed in whatsappweb and the message that was deletes in the mobile gets deleted. But the same does not happen with photos. If we send a photo from our mobile it appears in our whatsappweb too and then when we delete the photo from our mobile , the photo appears blurred in our mobile as it is deleted but the same does not happen in whatsappweb. It does not get refreshed like the other time it did when user deletes a text. The photo is still accessible by Whatsapp Web as the photo does not get deleted from its web client, revealing the fact that mobile and web clients of the service are not synced properly.

Here is the video demonstration :


I have reported both the bugs to the whatsapp security team and they are now working on it. Since the WhatsappWeb is now in its initial stage so I suppose things are not well arranged but I hope in the coming days whatsapp patch its bugs and give us a secure and awesome messaging platform.