Feb 2, 2015 · 1 minute

A teenaged security researcher has discovered a problem with WhatsApp's new site that could make it hard for the service's users to control who can view their photos.

The issue stems from the fact that WhatsApp Web simply mirrors the messages, photos, and other information sent to the service's Android application. (The Web service doesn't work for iPhone users because of Apple's restrictions on the app.)

So when an image is sent to someone via WhatsApp it's automatically sent to the Web app. But the service boasts a feature which allows its users to "delete" photos after they're sent, with a blurred image taking its place, to protect user privacy.

Yet the Web client doesn't seem to replace the photo with a blurred placeholder -- the original image is still available, ostensibly because the site mirrors the original image but doesn't bother to check to see if it was later deleted via the mobile app.

The Web client could also display a user's profile picture to all WhatsApp users even if they previously said they wanted to restrict the image to their contacts. It seems the WhatsApp Web service simply isn't as secure as its mobile counterparts.

Sophos, in its Naked Security blog, chides WhatsApp for the issues. "Both of these bugs seem like they could have or should have been caught before WhatsApp Web was released," it said, as if it were "rushed out the door without enough testing."

WhatsApp has always been hit-or-miss when it comes to protecting user privacy, as Pando's Yasha Levine explained when Facebook acquired the company in 2014. It seemed to reverse that trend by including end-to-end encryption in its Android app; apparently that was less a reversal and more the "hit" to WhatsApp Web's "miss."

[illustration by Brad Jonas]