Summarize

Simplifying... Inshort

WhatsApp's "View Once" feature, introduced in 2021, has a security flaw that allows recipients to save media that should disappear after a single view.
The company is rolling out updates to fix the issue and advises users to only send such messages to trusted contacts.
Experts suggest implementing a robust Digital Rights Management system or restricting media to mobile devices as potential solutions.

Was a long read? Making it simpler...

Next Article

The issue lies within WhatsApp's web-based application

WhatsApp flaw lets you save 'View Once' photos and videos

By Mudit Dube

Sep 10, 2024

11:05 am

What's the story

WhatsApp's "View Once" feature, designed to enhance user privacy by making media disappear after a single view, has been found to have a significant flaw. The vulnerability was uncovered by Zengo X, a research group. This glitch allows recipients to circumvent the privacy measures and save media that was intended to be ephemeral. The issue lies within WhatsApp's web-based application and was detailed in a blog post by Zengo X security expert Tal Be'ery on Monday.

Feature details

The feature is exclusively designed for WhatsApp's mobile apps

The "View Once" feature was introduced by WhatsApp in 2021, as a tool for users to share photos, videos, and voice messages that vanish after being viewed once. This function is designed to work exclusively on WhatsApp's mobile applications for Android and iOS. When a "View Once" message is received on the desktop or web versions of WhatsApp, users are notified that the content can only be viewed on a mobile device.

Security flaw

The vulnerability allows bypassing of privacy controls

However, the security flaw allows recipients to bypass the "View Once" feature and save media that was meant to disappear after a single view. According to Be'ery, "View Once" messages are regular media with an added "view once" flag, which can be easily disabled. "If the receiver uses a client that ignores that field (e.g. patched client/web extension) the "view once" promise becomes void. We had proved it by building our own unofficial WhatsApp client," wrote Be'ery on X.

Proposed solutions

Be'ery suggests solutions to address the security issue

Be'ery has suggested that WhatsApp should either thoroughly fix the issue or discontinue the feature. He proposed implementing a more robust Digital Rights Management (DRM) system or restricting media to mobile devices as potential solutions. These 'View Once' messages remain on WhatsApp servers for up to two weeks after being viewed rather than being immediately deleted. However, Be'ery was not the first to discover this bug as he found posts promoting browser extensions that bypass WhatsApp's "View Once" feature.

Company response

WhatsApp is rolling out updates to fix the issue

In response to the security flaw, a WhatsApp representative, Zade Alsawah, stated that updates are being rolled out for the 'View Once' feature on the web. He also advised users to send such messages only to trusted contacts. This advice aligns with the cautionary note on WhatsApp's official website, further emphasizing the importance of user discretion when using features like "View Once."