WhatsApp has resolved a significant privacy flaw in its “View Once” feature that allowed malicious users to bypass protections and save media intended to disappear after a single viewing. This bug, which was specific to the browser-based version of WhatsApp’s web app, could have undermined user trust in the platform’s privacy-centric features.
The Privacy Bug That Bypassed “View Once” Security
The “View Once” feature, launched in 2021, was designed to enhance user privacy by ensuring photos and videos sent using the option could only be viewed once before disappearing. It prevents recipients from saving, sharing, forwarding, copying, and even screenshotting or screen recording the media. However, this protection didn’t extend seamlessly to the web version of WhatsApp.
In September, reported that a vulnerability in the feature’s implementation allowed users of WhatsApp Web to bypass its restrictions. Armed with specific browser extensions or simple workarounds, malicious users could save media meant to vanish after one view. Posts on social media and browser extension marketplaces even advertised solutions to exploit this vulnerability, some of which required paid subscriptions.
The Fix and WhatsApp’s Response
Last week, WhatsApp rolled out a comprehensive fix to close this loophole. Speaking to TechCrunch, WhatsApp spokesperson Zade Alsawah emphasized the platform’s commitment to privacy:
“We’re constantly building in layers of privacy protection, and that includes rolling out key updates to View Once on the web. As always, we continue to encourage users to only send View Once messages to people they know and trust, and make sure they’re on the latest version of the app.”
The patch seems to have rendered the browser-based exploits ineffective. Users of previously working browser extensions have begun to complain, with some frustrated reviewers commenting, “Does not work AT ALL. Don’t waste your time.”
The Researcher Behind the Discovery
The issue was brought to light by Tal Be’ery, a security researcher and CTO of crypto wallet startup ZenGo. Be’ery has spent significant time investigating privacy vulnerabilities in WhatsApp. Upon discovering the bug, he promptly alerted WhatsApp.
But Be’ery wasn’t the only one aware of the flaw. By the time he reported it, the vulnerability was widely exploited through browser extensions and public posts. Recognizing the urgency, Be’ery adopted a responsible disclosure approach by going public with his findings.
“Sometimes, when a vulnerability is exploited in the wild, a responsible disclosure is to go public,” Be’ery explained. “We are very happy that our research and publication drove WhatsApp to fix the issue and protect the privacy of their users.”
Be’ery’s findings, along with a detailed analysis of WhatsApp’s fix, were published in a blog post earlier this week.
Testing the Patch
To verify the effectiveness of the fix, Be’ery conducted tests using WhatsApp Web and the desktop app. In the past, when receiving a “View Once” message, users could bypass restrictions to save the content. However, after the update, such attempts no longer work.
In one test, WhatsApp Web displayed the message typically seen on the desktop app: “This message is set to View Once. It can’t be saved or shared.” In another instance, the app prompted the user to check their phone, which aligns with WhatsApp’s intent to restrict web-based access to this feature.
“When a security loophole is effectively closed, it’s a win for both the users and the platform,” Be’ery remarked after confirming the patch.
A Milestone in Privacy Protection
This patch highlights WhatsApp’s ongoing efforts to enhance user privacy. While the “View Once” feature was originally designed for WhatsApp’s iOS and Android apps, it’s clear that extending its protections to the web app posed technical challenges.
By addressing this vulnerability, WhatsApp reinforces its stance on privacy and security, ensuring users can trust its features across all platforms. The incident also serves as a reminder for users to stay updated on app versions and to remain cautious when sharing sensitive media, even with privacy-enhancing tools.
WhatsApp continues to encourage its users to send “View Once” messages only to trusted individuals and to use the latest version of the app for optimal security.
For more detailed insights into the bug and its resolution, check out Tal Be’ery’s blog post, where he breaks down the vulnerability and WhatsApp’s response.
This fix marks a critical step forward in safeguarding user privacy and reaffirms WhatsApp’s dedication to creating a secure communication platform in an era where digital privacy is more important than ever.
