Researchers said a serious security issue threatens WhatsApp users’ privacy. The vulnerability typically affects the ‘View Once’ feature in WhatsApp, allowing an adversary to gain persistent access to the target media without the other user’s knowledge.
Vulnerability In ‘View Once’ Feature Allows Persistent Access To WhatsApp Media
Security researchers from Zengo discovered a serious security issue affecting WhatsApp that allowed an attacker to bypass the app’s ‘View Once’ privacy feature. As explained in a post, Be’ery and the team discovered a way to access media content shared on WhatsApp with a ‘View Once’ limitation.
According to Meta, ‘View Once’ is a privacy-oriented media-sharing feature on WhatsApp that allows the recipient to view and access the shared media only once. Such media (audio messages, videos, and photos) automatically disappear from the chat once the recipient opens them, ensuring no traces behind. The recipients can neither download such media on their devices nor take screenshots.
While the approach sounds impressive, the researchers proved otherwise, bypassing the privacy feature.
Specifically, the problem existed because of how WhatsApp servers deal with the ‘View Once’ media. The researchers noticed that WhatsApp servers simply flagged the message as ‘View Once’ and shared it across all devices, including those unsupported for ‘View Once’ messages. Hence, an adversary could bypass the “viewOnce: true” by changing it to “false”. Once done, the attacker could easily view and download the message on any device, just like a regular WhatsApp message, without further authentication.
Another implementation error with this feature is the retention of ‘View Once’ messages for 2 weeks on WhatsApp servers.
The researchers could easily bypass this privacy feature in two ways. First, they built an unofficial WhatsApp client based on the WhatsApp Web API client “Baileys,” linking it to an existing WhatsApp account to download and save ‘View Once’ messages. Second, they could download the encrypted message with any client, decrypting it later via OpenSSL, as demonstrated in the following video.
Meta Patched The Flaw
Following this discovery, the researchers responsibly disclosed the flaw to Meta. However, after noticing this flaw’s active exploitation, the researchers disclosed the matter publicly.
For now, no official patch exists to address this ‘View Once’ vulnerability for WhatsApp users. Nonetheless, according to Bleeping Computer, Meta is likely working on a fix that will roll out in future releases. Here’s what Meta’s statement reads,
Our bug bounty program is an important way we receive valuable feedback from external researchers and we are already in the process of rolling out updates to view once on web. We continue to encourage users to only send view once messages to people they know and trust.
Let us know your thoughts in the comments.
