WhatsApp’s “View Once” feature Flaw Exploited in the Wild

The Research Team studied Instant Messaging (IM) apps, particularly WhatsApp, to understand how they handle platform-specific features by focusing on WhatsApp’s “View once” media feature, which is designed to protect user privacy on mobile devices. 

By analyzing WhatsApp’s implementation, the team aimed to gain insights into best practices for implementing similar features in Zengo’s newly launched web interface, Zengo Desktop. 

It helped ensure that Zengo Desktop could provide a secure and user-friendly experience while maintaining privacy standards comparable to those of established IM apps.

WhatsApp Mac desktop app: view once is not supported

WhatsApp’s “View once” feature allows users to send media that disappears after the recipient opens it once, which is designed to protect privacy by preventing recipients from saving, sharing, or copying the content. 

The feature’s effectiveness is limited by the operating system’s control over content copying. On mobile platforms, WhatsApp can use these controls to prevent screenshots and screen recordings. 

On desktop and web platforms, however, users are unable to send or receive “View once” messages due to the lack of necessary operating system support.

WhatsApp’s “View once” feature is compromised due to API vulnerabilities. Despite its intended purpose, the feature allows unauthorized clients to download and view “View once” messages. 

This is because the server does not enforce strict content control, and the messages are sent to all devices regardless of compatibility. The media messages are identical to regular messages except for a flag, which can be easily manipulated. 

Additionally, the server retains downloaded messages for two weeks, making them accessible even after being viewed, which undermines the security and privacy of “View once” messages.

Toggling the view once flag github

The researchers at Zengo discovered that WhatsApp’s “view once” feature could be bypassed by modifying the message flag to “false” using an unofficial client app based on Baileys, which was previously reported to Meta but others had independently found and exploited it earlier this year. 

The bypass can be achieved through modified WhatsApp Android apps or web extensions, which have been available for over a year. 

A reddit thread earlier this year discussing “only once” pics viewing with extension 

The digital copying of view once media offers significant advantages over traditional analog methods, which enable high-quality, scalable, and instantaneous replication, making it easier for attackers to distribute and exploit sensitive content. 

Digital copies lack attribution clues, making it difficult to trace the source of the media, undermining the non-repudiation feature of view once, as senders can no longer deny having sent the content.

To address the “view once” privacy issue, WhatsApp should implement a robust Digital Rights Management (DRM) solution that verifies hardware support, which would ensure that messages are only viewable on authorized devices. 

Alternatively, a less secure but simpler solution would be to restrict “view once” messages to primary devices only. However, this would not prevent unauthorized viewing by patched mobile clients or extensions. 

Ultimately, WhatsApp must prioritize privacy by either fixing the existing “view once” functionality or discontinuing it altogether to avoid misleading users with a false sense of security.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here