- The Zengo X Research Team recently found out that the popular “View Once” privacy feature on WhatsApp can be easily bypassed.
- Meta has already been notified about the bug and the company has promised that it’s working on an update.
- Meanwhile, users are encouraged to send “View Once” messages only to people they trust.
Threat actors have found an easy way to bypass Whatsapp’s “View Once” privacy feature and save copies of the sent media files.
The View Once feature was introduced 3 years ago. Photos and videos sent via this mode can only be viewed once. The recipient can neither replay it nor save it in their gallery, and screenshotting is also not possible.
This feature only works on mobile, though, and WhatsApp desktop and web versions don’t support it yet. This is why whenever someone sends a View Once photo, you get a message saying that it can only be viewed on their mobile, for privacy reasons. Sounds pretty foolproof and private, right?
However, according to a report by the Zengo X Research Team (who made the discovery), there’s an easy way to bypass it, thanks to a loophole that has existed and been abused for at least a year now.
“We had responsibly disclosed our findings to Meta (on August 26 through its bug bounty program), but when we realized the issue is already exploited in the wild, we decided to make it public to protect the privacy of WhatsApp’s users.” – Zengo’s CTO Tal Be’ery
He even showed a live demo of the bug last week in which he was able to save a copy of a photo sent in “View Once” mode while he was using WhatsApp on the web.
Be’ery also added that the only thing worse than no privacy is a false sense of privacy – very well said indeed.
When users believe their conversations are private, they might divulge information that they wouldn’t under normal circumstances. That’s not fair to them. So, either this flaw needs to be fixed or the feature needs to be completely abandoned.
How Does the Loophole Work?
The biggest problem is that WhatsApp View Once messages work like any regular message, but with a “View once” flag. However, threat actors can easily turn this flag to false, which will then allow the message to be downloaded, forwarded, or saved.
It’s not even that hard, and there are at least two Google Chrome extensions that can disable the flag for you.
Plus, messages aren’t immediately deleted from WhatsApp servers. This means if a threat actor were to compromise one of its servers, they could easily access all View Once messages.
What Does WhatsApp Have to Say About This?
The company has acknowledged the problem and said that it’s already in the process of rolling out updates to the feature. However, when the update will launch is yet to be known.
Until then, Meta (WhatsApp) is encouraging users to send View Once photos and videos only to people they trust.
Related: Meta will allow third-party chats and calls on WhatsApp and Messenger in a few years
Our Editorial Process
Our Editorial ProcessThe Tech Report editorial policy is centered on providing helpful, accurate content that offers real value to our readers. We only work with experienced writers who have specific knowledge in the topics they cover, including latest developments in technology, online privacy, cryptocurrencies, software, and more. Our editorial policy ensures that each topic is researched and curated by our in-house editors. We maintain rigorous journalistic standards, and every article is 100% written by real authors.
