WhatsApp Messenger is currently the most used encrypted messaging application worldwide, with a vast number of two billion users. Users can share disappearing images and videos that are viewed instantly. However, there is a flaw in the “View Once” feature of the WhatsApp web app that makes it possible for any malicious recipient to view and save images and videos that should instantly vanish after viewing.
WhatsApp has designed the “View Once” feature with its mobile applications for both Android and iOS platforms.
In 2021, WhatsApp introduced the feature. Normally, if a user receives an “View Once” image or video, the desktop application or web version of WhatsApp should warn them that the content can only be viewed from a mobile device.
To further enhance privacy, WhatsApp screens out attempts to capture screenshots or record screens featuring “View Once” images and videos via its Android and iOS apps.
After months of investigation, Tal Be’ery, a security researcher with a long history of finding WhatsApp privacy issues, has discovered a bug. Be’er’y yesterday published a blog post discussing his findings.
The cybersecurity researcher last week showed a live demonstration on how he can intercept and save a copy of a picture sent as “View Once” while using WhatsApp in a web application.
“The only thing worse than a lack of privacy is a misleading sense of privacy in which users believe certain modes of communication are secure when they actually are not,” Be’ery wrote in his blog post. “As things stand, WhatsApp’s ‘View Once’ feature demonstrates a poor understanding of privacy and should be either drastically improved or altogether deleted,” Be’ery said.
On August 26, Be’ery disclosed the bug to Meta, WhatsApp’s parent company, on its official bug bounty platform.
Following an investigation last week, and shortly after Be’ery filed his bug report, WhatsApp Spokesperson Zade Alsawah had this to say: “We’re working on updates for web viewing of once. We always advise people to only send view-once media to people they trust.
This is not the first time a researcher has found the bug. Be’ery has reported on posts that advertise several browser extensions purporting to easily bypass the “View Once” feature in WhatsApp’s web app. How to circumvent the feature on social media has also been discussed. The feature doesn’t allow malicious actors to leverage the bug by not linking to the posts.
WhatsApp has so far made no comment on when it will finalise its updates to the View Once feature.