Researchers have uncovered a privacy flaw in WhatsApp's “View Once” feature, designed to enhance user privacy by allowing media to be viewed once before disappearing. The flaw enables attackers to easily bypass this restriction, rendering the privacy protection mechanism ineffective while providing users with a false sense of protection.
While the ability to bypass WhatsApp's View Once feature has been known for some time, with Chrome extensions offering this functionality, a report by the Zengo X Research team that thoroughly exposes the issue has brought renewed concern to the WhatsApp community.
The discovery was made during Zengo's development of its new multi-party computation (MPC) crypto wallet interface, Zengo Desktop. In exploring similar mobile-first applications, the team examined WhatsApp's privacy features, including “View Once,” and found that the feature's implementation was deeply flawed, particularly when used on platforms like desktop and web, where WhatsApp does not offer full support for it.
Zengo's investigation revealed the following flaws in View Once:
- Weak API controls: The “View Once” restriction is intended for mobile platforms, where WhatsApp can control actions like screenshots. However, the server API does not enforce these restrictions, allowing media to be downloaded on other platforms where these controls are not present.
- Simple flag manipulation: “View Once” messages are essentially regular media with a flag set to limit them to one view. By switching this flag from “true” to “false,” attackers can convert the message back into a regular media file that can be saved, forwarded, or shared.
- Unauthenticated downloads: Once the media URL is obtained, it can be downloaded from any device, as no authentication is required beyond the decryption key.
- Delayed deletion: Instead of being immediately removed from WhatsApp's servers upon viewing, “View Once” media remains accessible for up to two weeks, providing attackers with an extended window to exploit the flaw.
Zengo reports that while building an unofficial WhatsApp client to demonstrate exploitation of the flaw, it discovered multiple cases of active exploitation in the wild, which is particularly concerning for a messenger platform used by over 2 billion people worldwide.
Zengo suggests that WhatsApp can resolve the problem by implementing a more robust Digital Rights Management (DRM) system supported by hardware on modern operating systems like Android and iOS. A simpler, though less secure, approach would be to limit “View Once” media to mobile (primary) devices only and disable it on web and desktop platforms (companion apps).
WhatsApp's response
WhatsApp, owned by Meta, acknowledged the issue to RestorePrivacy through a statement from spokesperson Zade Alsawah. They confirmed that updates to the “View Once” feature are being rolled out for web users, and they encouraged users to send sensitive media only to trusted contacts.
“Our bug bounty program is an important way we receive valuable feedback from external researchers and we are already in the process of rolling out updates to view once on web. We continue to encourage users to only send View Once messages to people they know and trust.”
WhatsApp spokesperson
WhatsApp also suggests that users read the Note section on the View Once's FAQ page to better understand the feature's practical limitations.
Whether or not the fixes will impact the functionality of the aforementioned Chrome extensions or unofficial client apps created to leverage the multiple flaws in the feature remains to be seen.
Until the flaws in View Once are validated by the security community as properly addressed, users should be cautious when relying on disappearing media features, especially when privacy is of utmost concern. Our recommendation is that users of any communication platform should never assume that disappearing message systems are foolproof.
Related:
Travis
Any take on the national public data leak?
Didn’t see an article.
Thanks!
Alex Lekander
Hi Travis, we covered it on our sister site CyberInsider here:
https://cyberinsider.com/hacker-leaks-over-4-billion-user-records-from-nationalpublicdata-and-tencent/
Christopher
So we migrate from here to that site ?
Alex Lekander
You can check out both sites as you wish. RestorePrivacy is mainly focused on digital privacy topics, while CyberInsider covers infosec news.
9o5
Looking at trends Travis, these data breaches don’t stop! See this flux comment and others here-
https://cyberinsider.com/privacy-tools/comment-page-3/?unapproved=1297730&moderation-hash=a1df862a0a562ed94c3aa44970d18261#comment-1297730
Christopher
Facebook/ Meta is evil and have no respect for individual privacy. Let us put this aside as a fixture say ‘period’
However, just on the same day I read this article horrible article, some disturbing news I came across that happened in some country in west Asia. It is about child abuse and murder at its extreme and according to the news, the suspects communicated via WhatsApp and the local police asked WhatsApp the content of the messages that were deleted after the crime was committed. Police aren’t making any statement, is telling me that whatsapp have already given the info to the local police. In these cases, honestly, I get embarrassed and feel guilty when I speak loud about privacy etc. I don’t know, man…. I don’t really know what to say anymore….
John
Very nice comment . Evil people will find ways too do evil things ; it has been like this since the dawn of time . The world today is actually a far better place than it use too be , say , a few hundred years ago . Bad news is easy too find these days because peoples word of mouth is not just limited too small town gosip anymore .
Winnie
WhatsApp can’t read contents but can read metadata meaning whom messages whom, what kind, when, where etc.
BITR
@ Christopher & John, man I feel your words! I had a friend, that wouldn’t eat devil’s food cake because of its name. “Devil’s Food” as named, may have been chosen to contrast with the angelic connotations of an Angel Food Cake. But for my friend, he was deterred by the perceived association with evil or darkness by sheer name.
Say, you had exchanged VPN for devils food cake as the topic, in a tool for privacy, in my friends example given? Thoughts?
That association in people, as of light and dark, holy and unholy, good or bad, right againt wrong.
As John notes, “it has been like this since the dawn of time.
But on Chistophers note, “honestly, I get embarrassed and feel guilty when I speak loud about privacy etc. I don’t know, man…. I don’t really know what to say anymore…”.
Gentleman, there are in the world as holily people whose conduct conforms to high standards of propriety or correct behaviors in their steps of life. As for conformity of the others, being what is socially acceptable in conduct or speech is their norm in life, as the web.
But these lights in yourselves are leaders in hope! I wish that I’am not the only one to hear your word…sirs. Metrical is one in a set of measurements of man, especially felt as segregated or separated from others of the same kind or group.
I see God’s goal was to approach the human composition of life from a new angle versus that from the animal kingdom. The gift of choice to let our life rhythmic elements of self to take the lead. So no predetermined state or end. That’s not to say, while many things are permissible, not everything is beneficial or constructive. This freedom is not a license to engage in any behavior, but rather a freedom from the law of Moses and a responsibility to glorify God with one’s body (1 Cor. 6:20).
Our goal is not to isolate ourselves from the world but to live as salt and light in it, influencing others for Christ (Matthew 5:13-16)