To Be More Secure and If you care about Privacy and your Profile Picture and Don’t want your Profile Pictures to be leaked randomly online ,Then Just Don’t use the Share Button on The Profile Section of Your WhatsApp Profile Picture. So ,This is the end of Article Finally Remember this - “Any App installed on your device with Read Storage Access is capable of viewing your WhatsApp Profile Picture No matter How safe Your Profile Visiblity inPrivacy Settings are-” Incase You Want to try out the APP here are the Download Links: Here Are Screenshots of My Chats with Facebook Security Team įacebook and my repiles for second time for the same bug Fix (2) and (3) can be combined as a effective solution so malicious app cant access profile picture.” 3)There is also a another fix - storing the file only for a temporary time and then deleting it once the share is complete(This is risky ,may be app can perform timing attack). “1)Do you really think there should be a share button in profile section as that image might already be with user on the device?.(You have removed share and download button from user’s contact profiles in the recent updates, similarly removing that option would be a great fix) 2)Another fix I can think of - instead of naming it me.jpg ,you can use a random name so that malicious app cant find the exact profile photo from many image files in the same folder. I gave these suggestions to WhatsApp as some of the Fixes: If the App also takes Mobile No of User during regisration ,It can easily Map a phone number of User to Exact WhatsApp Profile Picture.(A lot of E-Commerce,online delivery,Cab Booking Apps need your mobile no during registration). It’s a critical vulnerability ,Privacy Details(Profile Picture) of user is disclosed to a 3rd party App without user’s knowledge.Think of an App in PlayStore with more than 100M+ downloads which needs Storage Access(I don’t want to name any obviously),This App can possibly create a database of WhatsApp User’s Profile Pictures ,No matter What their Profile Visibility Settings are. I sent the POC APK along with all these details to Facebook Whitehat Bug Bounty Program. Telegram Invite Link for WhatsApp Profile Stealer POC : In the Picture You can see I made a quick POC(Proof of Concept) of this bug.I created a App (using Flutter) called WhatsApp Profile Stealer which shows your WhatsApp Profile Picture inside my App(which means any app which is already present in your phone with storage access can also access your profile picture!!!) and also sends the image to telegram channel t.me/whatsappprofileĭownload Link of my WhatsApp Profile Stealer App POC :
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |