Few months back when WhatsappWeb was made public, I found few flaws in it. Whatsapp released its web client which is called as WhatsappWeb and as soon as it was released everyone was curoious to know if there exist some kind of bug in it. Even i was curious to know .
On the day it got released, i found two bugs on it. And to my surprise my findings went viral. It got covered in almost by all the popular newspaper, online news portal, etc . Few of them are : International Business Times , The Hacker News , The Assam Tribune , Infosecurity Magazine , etc. Even the popular British security analyst Graham Cluley shared his valuable opinions about my findings in his blog.
Read about the flaw here : Multiple Vulneribilities found in Whatsapp Web
Few days later I found the flaw I was interviewed by Russia Today, one of the top International News Channel of the World. As they don’t have a studio in my city so the interview was done on skype.
Here is the Text version of my Interview with Russia Today.
Russia Today : Can you tell us more about the two exploits that you’ve discovered in the new WhatsApp Web messenger ?
Indrajeet Bhuyan : Well I have discovered two vulnerabilities in whatsapp.
- Whatsapp photo privacy bug
Whatsapp gives us the option to hide our profile picture from others. Whatsapp offers 3 options a. everyone b. contacts c. nobody. If we set privacy to contacts only then only the people who are in our contact list can view our profile picture. But The new version of WhatsApp Web allows us to view a user’s profile image even if we are not on the contact list of that user. Even if the user has set the profile image privacy setting to “Contacts Only,” the profile picture can be viewed by out of contacts people as well. Here is the video demonstration that I made :
- WhatsApp Web Photo Sync Bug
Two weeks back when whatsapp released its web client called whatsappWeb they said that all the messages will be synced. Means if we send a message from our phone it will appear on the whatsappweb too and if we send a message from whatsappweb the message will appear in our mobile too. Now if we delete a message from mobile then the chats get refreshed in whatsappweb and the message that was deletes in the mobile gets deleted. But the same does not happen with photos.
If we send a photo from our mobile it appears in our whatsappweb too and then when we delete the photo from our mobile , the photo appears blurred in our mobile as it is deleted but the same does not happen in whatsappweb. It does not get refreshed like the other time it did when user deletes a text. The photo is still accessible by Whatsapp Web as the photo does not get deleted from its web client, revealing the fact that mobile and web clients of the service are not synced properly. Here is the video demonstration that I made :
https://www.youtube.com/watch?v=vxEi2E5Wnew
https://www.youtube.com/watch?v=vxEi2E5Wnew
Russia Today : I know I use WhatsApp a lot, so do most of my friends. What do these discoveries really mean for users like me and them ?
Indrajeet Bhuyan : Well it’s not the most serious privacy breach that has ever occurred but whatsapp gives its users an option to hide their profile photo from unwanted people. The fact of the matter is that WhatsApp users chose to keep their profile photos private, and their expectation is that WhatsApp will honor their choices and only allow their photos to be view-able by those who the user has approved. But that does not happen here as it can be viewed by other people too which in some way gives the user a sense of insecurity. And violates their privacy.
Russia Today : What can these exploit discoveries tell you about the privacy protections that WhatsApp’s new program offers ? You know it’s been a hot topic ever since the Snowden leaks.
Indrajeet Bhuyan : Snowden leak was about leaking data to government agencies. If that thing exists in the WhatsApp, government agencies can access data via some kind of backdoor. Privacy issues like I found or what some researchers generally finds are the result of the bad testing of the codes. Sometimes people ignore weakest links which can lead to potentially dangerous vulnerability. WhatsApp already confirmed the end-to-end encryption which is still in roll out phase. We can expect something good. But it will also not help much if there are privacy holes like this.
Russia Today : The developers of WhatsApp have quite a budget – so how come it’s “regular hackers” like you, and others from India, China and Russia, that seem to be making key exploit discoveries, and not these American companies with a budget it seems ?
Indrajeet Bhuyan : Budget does not matter. They have high budget, bug team for security and people from big university. Here in India and other Asian countries, there are various talented people who are hardcore hackers and can do lot more thing. Most of the security hall of fame of different companies like Google, facebook etc are filled with Indian and other Asian security researchers and hackers. But education and degree process here does not allow them to be the employee of these companies. I have seen many underground hackers who are not actually graduate but they are much better than computer security graduate students.
