Skip to content
Naked Security Naked Security

WhatsApp Web has privacy holes that could expose user photos

WhatsApp has just rolled out a new service called WhatsApp Web that allows users to sync the messaging app between their mobile devices and desktop, but the new web client has a couple of privacy pitfalls that indicate it's not really ready for its close-up.

WhatsApp mobile app privacyWhatsApp has just rolled out a new service called WhatsApp Web that allows users to sync the messaging app between their mobile devices and desktop, but the new web client has a couple of privacy pitfalls that show it’s not really ready for its close-up.

The problems with the web client, which were reported to us by Indrajeet Bhuyan, a 17-year-old security blogger, undermine privacy settings that work just fine on the WhatsApp mobile app.

According to Bhuyan, in some situations users of WhatsApp Web can see photos they’re not supposed to view and which they wouldn’t see on the mobile app.

In the WhatsApp mobile app, you can delete a photo from your device after sending it and the recipient will see only a blurred out version of the photo.

But Bhuyan reported that a photo sent from his mobile device and then deleted was still visible without the blurring in the web client.

As WhatsApp noted in a 21 January 2015 blog post announcing the new service, WhatsApp Web “mirrors conversations and messages from your mobile device,” and all messages “live on your phone.”

But since photos deleted from your phone are still showing up in the web client, we can infer that the mobile and web apps are not syncing properly.

The second problem, says Bhuyan, is that your profile photo may remain visible on WhatsApp Web even after you’ve used the feature in the mobile app to restrict your photo to contacts only.

Ironically, this seems to be the reverse of various mobile-versus-web problems we’ve written about before, where it was the mobile version that fell short of the security offered by its web-based equivalent.

Both of these bugs seem like they could have or should have been caught before WhatsApp Web was released – as though WhatsApp rushed this product out the door without enough testing.

A few other issues with WhatsApp Web make me think it wasn’t quite ready and could have waited: so far the web client only works in Chrome, and it isn’t available yet for users of the iOS mobile app (due to “Apple platform limitations,” WhatsApp says).

WhatsApp, which has more than 500 million users worldwide and was purchased by Facebook in 2014 for a mind-boggling $19 billion, has run afoul of regulators and privacy advocates for its past sloppy behavior.

We applauded WhatsApp when it rolled out end-to-end encryption to protect users’ private messages.

But this latest privacy bungle has me, in the shorthand of chat initialisms, SMH (translation – shaking my head).

Image of WhatsApp on Android courtesy of Twin Design /


This seems like a non problem. At some stage you’ve shared a photo or your profile with someone, given them the opportunity to screenshot it/save it/download it to another device…. then changed your settings or deleted the photo.

You should assume that once you’ve shared something with someone/the whole internet – its out there. Dont expect every feature to work in version 1


If it works one way in the mobile app and another way in the web app *when they are supposed to work the same*, then no matter how small a problem that might be, dismissing it as a “non problem” is not acceptable. It sets the standards that for new software to be “nearly OK” with privacy is fully OK. It is not.

Same for your comment about “version 1.” This isn’t about whether the automatic exposure correction widget works badly, as it might in V1 and get improved in V2. This is about privacy.

If there’s going to be a flaw in V1, let it be that the software doesn’t share as much as it reasonably could, not the other way around. Why shouldn’t we have a world in which privacy is built in at the start, not bodged on later?


There is no privacy issue here. If you’ve already given someone your photo at some point in time, you should assume the people you’ve shared your photo(s) with may have saved a copy somewhere Whatsapp can’t delete it.

When you publish something to the public or a group of people, then attempt to unpublish it by deleting it, its generally too late. If you dont want anyone to see it, dont publish it in the first place.

If you have sent someone a photo – they could have made a backup of their device and all its photos/settings to their computer. There is no way for Whatsapp to delete any backups they’ve made to another device.

Also, if you send someone a private photo, then delete it, it wont be deleted from their phone if they are offline.


All very true, but sort of not true at the same time – The option to ‘delete’ should work. If it doesn’t, it shouldn’t be there, regardless of whether or not other users can save pictures.


How to check whether our Whatsapp has been linked to a Web version without our permission or not? Scenario: A shop that you send your phone to, the guy sets up a Whatsapp Web, then uses your phone to snap the 2D barcode to verify it…then whatever you post/do on your mobile Whatsapp, the shop is able to see it. How to secure this?


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!