A research group, Zengo X, has revealed a flaw in WhatsApp’s ‘View Once’ feature. It allows recipients to bypass privacy controls and save media meant to disappear after one view.
What Is “View Once”?
WhatsApp, with over two billion users, provides end-to-end encryption for privacy. Introduced in 2021, the “View Once” feature allows users to send photos, videos, and voice messages that disappear after viewing, aiming to protect sensitive media.
The “View Once” feature is intended to function exclusively on WhatsApp’s mobile applications for Android and iOS. When users receive a “View Once” message on WhatsApp’s desktop or web versions, they are informed that the content can only be viewed on a mobile device.
WhatsApp also restricts users from taking screenshots or recording screens of “View Once” media on its mobile apps.
“View Once” Vulnerability
However, the research group Zengo X has discovered a critical flaw in WhatsApp’s web-based app that lets recipients bypass the “View Once” feature and save media meant to disappear after a single view. Tal Be’ery, a security expert with Zengo X, released a blog post detailing this vulnerability on September 9.
1/ WhatsApp "View once" media message is worse than no privacy.
It's a privacy theater encouraging users to give away their privacy under false pretenses.
See video and thread below on our @ZenGo research discovering it. pic.twitter.com/omRmJc0mfD— Tal Be'ery (@TalBeerySec) September 9, 2024
According to Be’ery, “View Once” messages are regular media with an added “view once” flag, which can be easily bypassed by disabling the flag. This makes the media downloadable and shareable.
Additionally, “View Once” media can be accessed by any client without authentication, and some versions even display low-quality previews. Moreover, these messages remain on WhatsApp servers for up to two weeks after being viewed rather than immediately deleted. The flaw allows exact digital copies to be distributed more widely.
Be’ery highlighted that the real risk is not just the lack of privacy but the false sense of security it provides. He suggested that WhatsApp should either fix the issue thoroughly or discontinue the feature. Implementing a more robust Digital Rights Management (DRM) system or restricting media to mobile devices could address the problem.
WhatsApp’s Response
Zengo X responsibly disclosed its findings to Meta. However, Be’ery was not the first to discover this bug. He discovered posts promoting browser extensions that make it simple to circumvent WhatsApp’s web application’s “View Once” feature. Upon discovering that the issue was already being exploited, Zengo X decided to make the information public to safeguard WhatsApp’s users’ privacy.
In response to TechCrunch’s inquiry last week and shortly after Be’ery reported the bug, WhatsApp representative Zade Alsawah issued a statement. He mentioned that updates to the ‘View Once’ feature on the web are being rolled out and advised users to send such messages only to trusted contacts. This caution is echoed on WhatsApp’s official website.