WhatsApp's 'View Once' could be 'View Whenever' due to a flaw
It promised vanishing messages, but now 'it's privacy theater'
Video A popular privacy feature in WhatsApp is "completely broken and can be trivially bypassed," according to techies at cryptowallet startup Zengo.
According to cofounder Tal Be'ery, his team was building a web interface that integrated WhatsApp when they discovered a flaw in the Meta chat application's View Once messages – photos, videos, and voice recordings that are supposed to disappear after the recipient sees them.
While the feature was supposed to be limited to platforms where the necessary controls are in place to ensure these messages actually disappear as expected, such as official WhatsApp mobile clients, the WhatsApp API servers would surprisingly give the data to applications that didn't respect the View Once feature.
"The View Once media messages are technically the same as regular media messages, only with the 'view once' flag set," the technical explanation from Zengo states.
"Which means it’s the virtual equivalent of putting a note on the picture that says 'don’t look.' All that is required for attackers to circumvent it, is merely to set this flag to false and the media become regular and can be downloaded, forwarded and shared."
You can see this in operation in the video below:
Three years ago, WhatsApp introduced View Once mode, which allows messages to be sent, looked at, and then deleted without the recipient being able to save a screenshot of the message. It's not a perfect system - the recipient can use another camera to take a picture of the message, but it wasn't bad either, and it would stem privacy violations.
Taking the image directly is far more efficient than snapping a photo of it with another phone, Be'ery told The Register, likening it to using a tape-to-tape recording as opposed to the mass sharing of MP3 à la Napster.
"People can save and copy the image, which invalidates the purpose of the feature. It's privacy theater," he explained. "It's a sloppy design, designed in a very bad way. The design of the whole thing is a dumpster fire."
- Meta accused of snarfing people's Snapchat data via traffic decryption
- You'll soon be able to ghost a WhatsApp group without making everyone hate you
- Researchers find Meta's withdrawal of misinformation tool hard to swallow
- WhatsApp, Threads, more banished from Apple App Store in China
Additionally, the Zengo team found on GitHub a modified Android client and a Chrome extension that could allow anyone to exploit the issue. So the team decided to abandon the usual 90-day waiting period for responsible disclosure and go public.
On August 26, Be'ery's team notified WhatsApp about the issue over two weeks ago via Meta's bug bounty program, and a spokesperson confirmed to us that the problem had been logged and was being investigated.
“Our bug bounty program is an important way we receive valuable feedback from external researchers and we are already in the process of rolling out updates to view once on web," we were told. "We continue to encourage users to only send view once messages to people they know and trust.”
Sources familiar with the matter report that a fix for this is being actively worked on and will be available as soon as it has been successfully tested. ®