Researchers have found a critical flaw in WhatsApp’s “View Once” feature that was found to be actively exploited by threat actors. The “View Once” feature was designed to enhance privacy by allowing users to share photos and videos that disappear after being opened once.
However, a cybersecurity firm has now discovered a critical bug in WhatsApp’s web-based application that allows anyone to bypass the “View Once” privacy measure where recipients can save disappearing messages, potentially compromising the intended fleeting nature of the content.
Bypassing WhatsApp’s ‘View Once’ Feature
The vulnerability, discovered by researchers in Zengo, lies in how WhatsApp implements the “View Once” feature. When a user sends a disappearing photo or video, it’s essentially a regular media message with an additional flag set to “true” indicating it’s meant to vanish after being viewed. However, security experts found that WhatsApp’s web app fails to implement proper restrictions on accessing this flagged media.
Disappearing messages are sent with a URL pointing to the media file hosted on WhatsApp’s servers and a key for decryption. While the “View Once” flag restricts how the mobile app displays the content (disappearing after one view), the web app doesn’t enforce this limitation. By simply manipulating the flag and accessing the media URL directly, anyone can save the disappearing message before it self-destructs.
Beyond Mobile Apps: The Web App Achilles Heel
While WhatsApp restricts users from taking screenshots on mobile devices for “View Once” messages, the web app presents a different scenario. Because the disappearing message functionality relies solely on the “View Once” flag and not additional security measures on the web platform, the vulnerability becomes exploitable.
This raises concerns about the overall security of WhatsApp’s web app. While it offers convenience for desktop access, it appears to lack the same level of security features compared to the mobile applications.
Impact and Potential Consequences
The ability to bypass the “View Once” feature has significant privacy implications. Users who relied on this feature to share sensitive information, like temporary passwords, confidential documents, or private moments, are now at risk of their content being saved permanently. This could lead to blackmail, identity theft, or reputational damage depending on the nature of the shared content.
After exploring the vulnerability, the researchers contacted Meta, WhatsApp’s parent company, about the vulnerability in July 2024. However, upon realizing the issue was already being exploited in the wild, the researchers decided to make their findings public to warn users and encourage a swifter patching process.
Meta has acknowledged the vulnerability and is rolling out updates to address the “View Once” flaw in the web app. However, there’s no confirmation yet on whether users who might have unknowingly had their disappearing messages saved will be notified.
Exercising Caution
The “View Once” bug exposes the importance of robust security testing across all platforms, especially web applications. This incident highlights the need for continuous vigilance and proactive measures to address vulnerabilities before they are exploited by malicious actors.
For WhatsApp users, the lesson is to exercise caution when using the “View Once” feature, particularly on the web app. It’s advisable to limit the type of information shared through this feature and consider alternative secure communication methods for highly sensitive content.
Possible Solutions
The “View Once” bug underscores the ongoing challenges in achieving truly secure ephemeral messaging. While features like disappearing messages offer a sense of privacy, they are only as secure as their implementation.
The researchers have suggested that “To actually solve this issue, WhatsApp needs to apply a proper Digital Rights Management (DRM) solution that also verifies there is hardware support in place for such DRM. Such frameworks are provided by Android and iOS and other modern Operating Systems.”
“A less robust but easier solution would be to have the sender send the “view once” message only to the primary device (mobile) and not to companion linked devices (web, desktop).”
The “View Once” bug serves as a stark reminder that even the most well-intentioned privacy features can be compromised. By understanding the vulnerabilities and implementing best practices, users and developers can work together to create a more secure and trustworthy online communication environment.
