Video A popular privacy feature in WhatsApp is "completely broken and can be trivially bypassed," according to developers at cryptowallet startup Zengo.

According to cofounder Tal Be'ery, his team was building a web interface when they discovered a flaw in WhatsApp's View Once. While the feature was supposed to be limited to platforms where the necessary controls could be enforced, such as mobile clients, the WhatsApp API server didn't properly enforce it.

The server would still send these messages to other platforms, but they couldn't be viewed - unless someone fiddled with the code.

"The View [O]nce media messages are technically the same as regular media messages, only with the “view once” flag set," the technical explanation states.

"Which means it’s the virtual equivalent of putting a note on the picture that says 'don’t look.' All that is required for attackers to circumvent it, is merely to set this flag to false and the media become regular and can be downloaded, forwarded and shared."

You can see this in operation in the video below:

Three years ago, WhatsApp introduced View Once mode, which allows messages to be sent, looked at, and then deleted without the recipient being able to save a screenshot of the message. It's not a perfect system - the recipient can use another camera to take a picture of the message, but it wasn't bad either, and it would stem privacy violations.

Taking the image directly is far more efficient than snapping a photo of it with another phone, Be'ery told The Register, likening it to using a tape-to-tape recording as opposed to the mass sharing of MP3 à la Napster.

"People can save and copy the image, which invalidates the purpose of the feature. It's privacy theater," he explained. "It's a sloppy design, designed in a very bad way. The design of the whole thing is a dumpster fire."

Additionally, the Zengo team found code examples on GitHub of a modified Android client and a Chrome extension (should people be dumb enough to take the risk of embedded malware and use them) that could allow anyone to exploit the issue. So the team decided to abandon the usual 90-day waiting period for responsible disclosure and go public.

On August 26, Be'ery's team notified WhatsApp about the issue over two weeks ago via Meta's bug bounty program, and a spokesperson confirmed to us that the problem had been logged and was being investigated.

“Our bug bounty program is an important way we receive valuable feedback from external researchers and we are already in the process of rolling out updates to view once on web," we were told. "We continue to encourage users to only send view once messages to people they know and trust.”

Sources familiar with the matter report that a fix for this is being actively worked on and will be available as soon as it has been successfully tested. ®

https://www.theregister.com//2024/09/09/whatsapp_view_once_flaw/