Application security consultant, Shitesh Sachan, has warned that the “Delete for Everyone” WhatsApp feature doesn’t work on iPhone devices.
Sachan discovered that the feature doesn’t delete media files sent to iPhone users that have the “Save to Camera Roll” setting on. Whereas with Android users, the feature will delete the sent media files from the recipient’s camera roll as well.
This raises many concerns as by default WhatsApp automatically saves all images and videos a user onto their camera roll. However this setting can be turned OFF from the app’s settings, but not many people know about this.
It can be argued that Apple’s policies don’t allow apps to make amendments to files saved on the users’ Camera Roll without consent. If this is the case with WhatsApp, then the messaging platform should not falsely advertise the “Delete for Everyone” feature. Users should know to manually change their settings to not save attachments to their devices.
Sachan reported the issue to WhatsApp, but the company refused to accept the issue and responded saying:
“The functionality provided via “Delete for Everyone” is intended to delete the message and there is no guarantee that the media (or message) will be permanently deleted – the implementation focuses around the message presence in WhatsApp.”
WhatsApp’s security team also mentioned that recipients may have seen the message before it was deleted.
“This feature is working properly, and using the ‘delete for everyone’ feature in time will result in media being removed from the WhatsApp chat thread. We provide simple options to help iPhone users manage the media they receive from friends and family, per the best practices established by operating systems.
“If a user chooses to save images to their camera roll they are stored out of reach of WhatsApp’s ‘delete for everyone feature.”
Earlier this month, Telegram disclosed a privacy flaw in the “Delete for Everyone” feature, whereby it allowed users to recover images and videos that had been “unsent”. Fortunately the issue has now been patched.
No comments yet