Users of WhatsApp, one of the world’s most popular messaging apps, may fall into a false sense of privacy when using “View Once” messages. Because it turns out that those messages are stored for two weeks, can be viewed unlimited times, and sometimes even outsiders can view them, a report by Zengo X Research Team reveals.
WhatsApp claims that “You can send photos, videos, and voice messages that disappear from a chat after the recipient has opened them once. This is known as send as view once.”
However, the researchers say the View Once media feature is “completely broken and can be trivially bypassed.” Exploits, i.e., web browser extensions that can reveal messages already seen, already exist in the wild.
The problem lies in the way the functionality is implemented. When one user sends such a message, it travels to WhatsApp’s server instead of the receiver’s device. There is no enforced protection from abusing the server’s API.
The server sends the message to “all of the receiver’s devices, including the ones that are not allowed to display it.”
“The View Once media messages are technically the same as regular media messages, only with the “view once” flag set. Which means it’s the virtual equivalent of putting a note on the picture that says “don’t look.”
A Web application could repeatedly receive the message and set its “isViewOnce” flag to “false” to turn it into a regular message. No jailbreak or binary patching is required.
The message receiver gets a URL to the encrypted message together with the encryption key.
According to the Zengo report, if the URL address is known, any client can download the encrypted media stored on WhatsApp’s server without authentication. Some messages contain a low-quality preview that can be used to view the picture without even downloading it.
The messages are stored on the WhatsApp server for two weeks after being downloaded.
“One would expect the server to immediately delete the view once media, once it had been downloaded,” the researchers argue.
As a demonstration, the researchers even built their own unofficial WhatsApp client and reported their findings to Meta. However, after discovering others using the explicit in the wild, Zengo released their findings publicly.
“To actually solve this issue, WhatsApp needs to apply a proper Digital Rights Management (DRM) solution that also verifies there is hardware support in place for such DRM,” the report suggests. Android, iOS, and other modern Operating Systems provide such frameworks.
WhatsApp spokesperson told RestorePrivacy that updates to the feature are coming and encouraged users to only send sensitive messages to people they trust.
Your email address will not be published. Required fields are markedmarked