WhatsApp has recently resolved a significant security vulnerability that allowed malicious users to save images and videos intended to be viewed only once before automatically disappearing. This issue raised serious privacy concerns regarding the effectiveness of the app’s “View Once” feature.
In mid-September, TechCrunch highlighted that a flaw in the implementation of the View Once feature enabled individuals utilizing WhatsApp’s browser-based web application to not only view but also retain photos and videos sent using this setting. The designed purpose of the View Once feature is to ensure that media recipients cannot save, share, forward, copy, or even capture screenshots or screen recordings of the content, with the expectation that these items would vanish after viewing.
Zade Alsawah, a spokesperson for WhatsApp, provided an update to TechCrunch regarding the situation, stating that the company has rolled out a more robust and long-term fix to address the lingering problem. “We’re constantly working to enhance multiple layers of privacy protection,” Alsawah emphasized in an email statement. “This includes the implementation of critical updates to the View Once feature on the web platform.”
He went on to encourage users to send View Once messages exclusively to individuals they are familiar with and trust, underscoring the importance of being on the latest app version for optimal security. Tal Be’ery, a noted security researcher who has been scrutinizing WhatsApp’s privacy challenges throughout the year, played a pivotal role in identifying and reporting this bug to both WhatsApp and TechCrunch.
However, he was not alone in uncovering this vulnerability. When he first detected the issue, there were already several browser extensions and social media posts circulating that offered simple workarounds to bypass the privacy restrictions. These resources allowed users to install an extension that would enable them to display and save media sent as View Once, thus exposing a significant breach in privacy. Since the rollout of WhatsApp’s fix within the last couple of weeks, users of these problematic browser extensions—some of which required paid subscriptions—have been expressing their dissatisfaction as the functions they relied on have become ineffective.
“Does not work AT ALL. Don’t waste your time,” lamented one frustrated user in an online comment. In an engaging experiment conducted by TechCrunch, the publication received a View Once message on the WhatsApp web app, which displayed a message consistent with what users would expect to see on the desktop application. This message confirmed that the media had indeed been sent under the View Once settings.
Additionally, in another experiment carried out by TechCrunch and Be’ery the previous week, the researcher encountered a different message stating, “Waiting for this message. Check your phone,” indicating further difficulties with the feature. Ultimately, Be’ery was unable to save the image utilizing the previously effective techniques he had been employing for several months. He reflected on this experience, noting, “Sometimes, when a vulnerability is exploited publicly, responsible disclosure involves going public with the information.”
He expressed satisfaction that their research and subsequent publication prompted WhatsApp to implement a fix for the issue, thereby reinforcing the privacy of their user base. Be’ery, who holds the position of CTO and co-founder of the cryptocurrency wallet Zengo, subsequently published a detailed blog post analyzing the recent fix and its implications. The View Once feature, which was originally launched in 2021, was designed specifically to function on WhatsApp’s mobile applications—iOS and Android—but not on its web or desktop counterparts, highlighting a gap in the coverage of privacy tools across different platforms. This incident underscores the importance of ongoing vigilance in app security and user privacy protections.
Source: TechCrunch
-featured.jpg)
