Just a week after the presentation of WhatsApp Web, the desktop version of the popular mobile messaging application WhatsApp, a 17-year-old security researcher Indrajeet Bhuyan discovered two security flaws. Bhuyan is already known to the IT security community because he discovered a critical vulnerability in the mobile version of WhatsApp that could be exploited by an attacker to remotely crash WhatsApp by sending a specially crafted message of just 2kb in size, causing also the loss of overall conversations.
The new bugs in the WhatsApp web client reported by Indrajeet Bhuyan could expose users’ information. The first bug, dubbed by the researcher ‘WhatsApp photo privacy bug’, allows anyone to view a user’s profile image even if the attacker in not in the contact list of the targeted user and despite the victim has set the profile image privacy setting to “Contacts Only“.
The second bug, dubbed ‘WhatsApp Web Photo Sync Bug’, affects WhatsApp Web Photo Syncing functionality, the security expert noticed that whenever a user deletes an image that received by a user using the mobile version of WhatsApp, the picture appears blurred and cannot be viewed.
If the same image has been already been deleted by the user from mobile WhatsApp version, it can be accessible by using a Whatsapp Web client, evidently the Whatsapp mobile app and the Whatsapp web clients are not correctly synchronized.
It’s quite normal that a newborn application like Whatsapp web is affected by flaws and I have no doubts that Whatsapp will fix it as soon as possible.
(Security Affairs – WhatsApp Web, messaging)