BOOK THIS SPACE FOR AD
ARTICLE ADA privacy flaw in WhatsApp, an instant messenger with over 2 billion users worldwide, is being exploited by attackers to bypass the app's "View once" feature and view messages again.
Meta says that WhatsApp's "View once" feature (introduced three years ago) enables users to share photos, videos, and voice messages privately, seeing that the recipient shouldn't be able to forward, share, copy, or screenshot their messages because they will automatically disappear from chats after being opened once.
"Once you send a view once photo, video, or voice message, you won’t be able to view it again," the company explains on its support website.
"Any photos or videos you send won’t be saved to the recipient’s Photos or Gallery. The recipient also can’t take a screenshot of anything you send using view once."
However, "View once" will only block WhatsApp users from screenshotting what is being sent on mobile devices because desktop and web platforms don't support blocking screenshots.
Furthermore, the Zengo X Research Team found that Meta implemented this feature in what the researchers described as a "neglectful manner," allowing attackers to easily save and share copies of "View once" messages.
"We had responsibly disclosed our findings to Meta, but when we realized the issue is already exploited in the wild, we decided to make it public to protect the privacy of WhatsApp's users," Zengo's CTO Tal Be'ery said.
As Zengo security researchers found, the "View once" feature is used to send encrypted media messages to all of the recipient's devices, messages that are almost identical to a normal one but include a URL to the encrypted data hosted on WhatsApp's web server ("blob store") and the key to decrypt it. Additionally, "View once" messages set a "View once"flag to "true."
"False sense of privacy"
Be'ery explained that WhatsApp's "View once" feature allows users to send messages that should only be viewed once. Still, the messages are sent to all of the receiver's devices, including those not allowed to display them. Additionally, the messages are not immediately deleted from WhatsApp's servers after downloading.
This makes limiting the media's exposure to controlled environments and platforms impossible, especially since some versions of the "View once" messages also contain low-quality media previews that can be viewed without downloading.
Furthermore, "View once" messages work like regular messages but with a "View once" flag. However, attackers can bypass this privacy feature by setting this "view once" flag to false, allowing the message to be downloaded, forwarded, and shared..
"Privacy is critical for Instant Messaging. WhatsApp acknowledged that by supporting End-to-End Encryption (E2EE) for its users' conversations by default," Be'ery concluded.
"However, the only thing that is worse than no privacy, is a false sense of privacy in which users are led to believe some forms of communication are private when in fact they are not. Currently, WhatsApp's View once is a blunt form of false privacy and should either be thoroughly fixed or abandoned."
While Zengo researchers are the first to report the issue to Meta and publish a report detailing this privacy issue, the flaw has been abused to save "View Once" messages for at least a year, with those exploiting it even creating browser add-ons to streamline the entire process.
BleepingComputer knows of at least two Google Chrome extensions, one released in 2023, that can disable the View Once flag, allowing the feature to be bypassed.
Meta replied to an email from BleepingComputer regarding the bypass, saying they are currently rolling out changes to the View Once feature. While a fix is coming to WhatsApp Web, it is unclear if the privacy flaw could still be exploited using custom WhatsApp apps.
"Our bug bounty program is an important way we receive valuable feedback from external researchers and we are already in the process of rolling out updates to view once on web," a WhatsApp spokesperson told BleepingComputer. "We continue to encourage users to only send view once messages to people they know and trust.”