WhatsApp’s “View Once” Feature Flaw Exploited in the Wild

The Zengo X Research Team has uncovered a critical flaw in WhatsApp’s “View Once” feature, designed to enhance user privacy by allowing media to be viewed only once before disappearing.

This flaw, now exploited in the wild, raises significant concerns about the security of the world’s most popular instant messaging app.

Discovery and Disclosure

The Zengo X Research Team, as part of their ongoing security research, identified a trivial way to bypass the “View Once” feature.

Despite responsibly disclosing these findings to Meta, WhatsApp’s parent company, the team decided to make the issue public after discovering active exploitation.

The flaw allows media intended to be viewed once to be downloaded and shared without restriction, undermining the feature’s intended privacy protections.

Technical Insights into the Flaw

The “View Once” feature is supposed to prevent recipients from saving, forwarding, or taking screenshots of media.

However, the Zengo X Research Team found that the implementation is flawed. The media is sent to all recipient devices, including web applications, where “View Once” is not supported.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

By altering the “view once” flag, the media can be transformed into regular media, allowing it to be downloaded and shared freely.

Furthermore, the media can be accessed without authentication if the media URL and decryption key are known.

This makes it impossible to limit exposure to controlled environments. Some messages contain low-quality previews that can be viewed without downloading the media.

The media remains accessible on WhatsApp servers for up to two weeks, contrary to expectations that it would be deleted immediately after viewing.

Exploitation in the Wild

Others have identified and exploited the flaw. Some have developed modified WhatsApp clients or web extensions that toggle the “view once” flag, allowing unrestricted access to the media.

According to GitHub timestamps, these solutions have been discussed in online forums and have been available for over a year. The ease of exploitation highlights the urgency for Meta to address this vulnerability.

Why This Matters

While some may argue that the “View Once” feature was never entirely secure, as recipients could always use another device to capture the media, the digital bypass of this feature poses more significant risks.

Digital copying allows for exact replicas, scalability, and instant copying, which are impossible with manual methods.

This facilitates unauthorized distribution and complicates attribution and non-repudiation, as the original sender can no longer deny sending the media.

Exploiting this flaw underscores the need for robust security measures in digital communication platforms. As users increasingly rely on these platforms for private communication, ensuring their security is paramount.

Meta has yet to respond publicly to these findings, leaving users uncertain about the safety of their private communications on WhatsApp.

The Zengo X Research Team’s discovery of this flaw serves as a critical reminder of the ongoing challenges in digital privacy and security.

Users are advised to exercise caution and stay informed about updates and patches from WhatsApp to protect their privacy.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!