How I was able to see private profile picture of any WhatsApp Business user.

About Facebook Business Manager

Small to large businesses use Business Manager to organise their business assets and information in one place. We can use Business Manager to control our Facebook assets and make sure that the right people have the correct access.

Business Manager Admin can only add assets which has owned by him or has given permission by asset Admin. Assets include Facebook Page, Ad accounts, Instagram accounts, Facebook Applications and WhatsApp accounts.

In order to add a Whatsapp Business account Business Manager Admin needs to enter WhatsApp Mobile number and verify the five digits code sent to number.

What was Bug here ?

The endpoint for linking WhatsApp numbers to Business Manager lacked sufficient rate limiting protections, Which allowed an Attacker to link any Whatsapp Business account to Business Manager.

What data was disclosed ?

It could have allowed an Attacker to reading the profile information, Which also includes “Profile Picture”(regardless the privacy setting of Profile Picture).

Timeline :

Reported : 23 September 2020

Triaged : 24 September 2020

Fixed : 29 September 2020




Security Researcher

Love podcasts or audiobooks? Learn on the go with our new app.

Castles In The Cloud: Defending Bulwarks, Crenellations and Moats

Security Authentication Framework in AliOS Things uMesh

Five most important thing in digital strategy

How Ethereum BIP-32 Hardware Digital Wallet Works

The Strategy Guide to Threat Hunting

mStable Bug Bounty Payout

{UPDATE} Hoverboard Racer 3D Hack Free Resources Generator


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sameer Rao

Sameer Rao

Security Researcher

More from Medium

Cybersecurity Cockpit — A Pilot View

How to update Burp Suite on Kali Linux

Write-up: 2FA simple bypass @ PortSwigger Academy

How to protect from Spring4Shell