How I was able to see private profile picture of any WhatsApp Business user.

About Facebook Business Manager

Small to large businesses use Business Manager to organise their business assets and information in one place. We can use Business Manager to control our Facebook assets and make sure that the right people have the correct access.

What was Bug here ?

The endpoint for linking WhatsApp numbers to Business Manager lacked sufficient rate limiting protections, Which allowed an Attacker to link any Whatsapp Business account to Business Manager.

What data was disclosed ?

It could have allowed an Attacker to reading the profile information, Which also includes “Profile Picture”(regardless the privacy setting of Profile Picture).



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store