Cyber Security News

WhatsApp’s “View Once” Feature Flaw Exploited in the Wild

The Zengo X Research Team has uncovered a critical flaw in WhatsApp’s “View Once” feature, designed to enhance user privacy by allowing media to be viewed only once before disappearing.

This flaw, now exploited in the wild, raises significant concerns about the security of the world’s most popular instant messaging app.

Discovery and Disclosure

The Zengo X Research Team, as part of their ongoing security research, identified a trivial way to bypass the “View Once” feature.

Despite responsibly disclosing these findings to Meta, WhatsApp’s parent company, the team decided to make the issue public after discovering active exploitation.

The flaw allows media intended to be viewed once to be downloaded and shared without restriction, undermining the feature’s intended privacy protections.

WhatsApp’s “View Once” feature explained within the app

Technical Insights into the Flaw

The “View Once” feature is supposed to prevent recipients from saving, forwarding, or taking screenshots of media.

However, the Zengo X Research Team found that the implementation is flawed. The media is sent to all recipient devices, including web applications, where “View Once” is not supported.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

By altering the “view once” flag, the media can be transformed into regular media, allowing it to be downloaded and shared freely.

View once” explained within the WhatsApp application

Furthermore, the media can be accessed without authentication if the media URL and decryption key are known.

This makes it impossible to limit exposure to controlled environments. Some messages contain low-quality previews that can be viewed without downloading the media.

The media remains accessible on WhatsApp servers for up to two weeks, contrary to expectations that it would be deleted immediately after viewing.

Exploitation in the Wild

Others have identified and exploited the flaw. Some have developed modified WhatsApp clients or web extensions that toggle the “view once” flag, allowing unrestricted access to the media.

According to GitHub timestamps, these solutions have been discussed in online forums and have been available for over a year. The ease of exploitation highlights the urgency for Meta to address this vulnerability.

Multiple reports to Meta’s security program

Why This Matters

While some may argue that the “View Once” feature was never entirely secure, as recipients could always use another device to capture the media, the digital bypass of this feature poses more significant risks.

Digital copying allows for exact replicas, scalability, and instant copying, which are impossible with manual methods.

This facilitates unauthorized distribution and complicates attribution and non-repudiation, as the original sender can no longer deny sending the media.

Exploiting this flaw underscores the need for robust security measures in digital communication platforms. As users increasingly rely on these platforms for private communication, ensuring their security is paramount.

Meta has yet to respond publicly to these findings, leaving users uncertain about the safety of their private communications on WhatsApp.

The Zengo X Research Team’s discovery of this flaw serves as a critical reminder of the ongoing challenges in digital privacy and security.

Users are advised to exercise caution and stay informed about updates and patches from WhatsApp to protect their privacy.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Chinese Hackers Breach Belgium State Security Service as Investigation Continues

Belgium’s State Security Service (VSSE) has suffered what is being described as its most severe…

15 hours ago

Hacktivist Groups Emerge With Powerful Tools for Large-Scale Cyber Operations

Hacktivism, once synonymous with symbolic website defacements and distributed denial-of-service (DDoS) attacks, has evolved into…

15 hours ago

New Pass-the-Cookie Attacks Bypass MFA, Giving Hackers Full Account Access

Multi-factor authentication (MFA), long considered a cornerstone of cybersecurity defense, is facing a formidable new…

20 hours ago

Chinese Hackers Exploit Check Point VPN Zero-Day to Target Organizations Globally

A sophisticated cyberespionage campaign linked to Chinese state-sponsored actors has exploited a previously patched Check…

22 hours ago

PingAM Java Agent Vulnerability Allows Attackers to Bypass Security

A critical security flaw (CVE-2025-20059) has been identified in supported versions of Ping Identity’s PingAM…

22 hours ago

New GitHub Scam Uses Fake “Mods” and “Cracks” to Steal User Data

A sophisticated malware campaign leveraging GitHub repositories disguised as game modifications and cracked software has…

24 hours ago