How I was able to see private profile picture of any WhatsApp Business user.

About Facebook Business Manager

Small to large businesses use Business Manager to organise their business assets and information in one place. We can use Business Manager to control our Facebook assets and make sure that the right people have the correct access.

Business Manager Admin can only add assets which has owned by him or has given permission by asset Admin. Assets include Facebook Page, Ad accounts, Instagram accounts, Facebook Applications and WhatsApp accounts.

In order to add a Whatsapp Business account Business Manager Admin needs to enter WhatsApp Mobile number and verify the five digits code sent to number.

What was Bug here ?

The endpoint for linking WhatsApp numbers to Business Manager lacked sufficient rate limiting protections, Which allowed an Attacker to link any Whatsapp Business account to Business Manager.

What data was disclosed ?

It could have allowed an Attacker to reading the profile information, Which also includes “Profile Picture”(regardless the privacy setting of Profile Picture).

Timeline :

Reported : 23 September 2020

Triaged : 24 September 2020

Fixed : 29 September 2020




Security Researcher

Love podcasts or audiobooks? Learn on the go with our new app.

Internet Media Verification and Authentication Standard

{UPDATE} 逃脫遊戲 : 不給糖就搗蛋 Hack Free Resources Generator

Credential Stuffing Attack Prevention/Action

TP Courses 38 — How Does DAO Affect DeFi?

When is Web Tracking Ethical?

Binance Smart Chain Token Minting, Audit Report & ERC-20 Token Burns

My talk “Is quantum computing about to break cryptocurrency?”

Saber wDAI-USDC Liquidity Pool (Wormhole V2)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sameer Rao

Sameer Rao

Security Researcher

More from Medium

Where do I find vulnerabilities -How to search for known exploits like a pro

Adding customers to victim’s store via Insecure Direct Object Reference

First Valid BUG Finding At Microsoft And I Got the Acknowledgments Page Microsoft

How to hunt on HOST based Bug Bounty Program?