A newly discovered privacy vulnerability in WhatsApp, the messaging platform with over 2 billion users globally, is being exploited by attackers to bypass the app’s “View Once” feature. This flaw enables them to view supposedly one-time messages multiple times.

WhatsApp introduced the “View Once” feature three years ago, allowing users to share photos, videos, and voice messages that automatically disappear after being opened once. The feature is designed to enhance privacy, ensuring that recipients cannot forward, copy, or screenshot these messages. According to Meta, the parent company of WhatsApp, “View Once” messages are intended to be temporary and cannot be re-accessed or saved in the recipient’s gallery.

However, despite these privacy measures, the Zengo X Research Team found significant gaps in the implementation of the feature. While mobile platforms prevent users from taking screenshots, desktop and web versions do not have this restriction, creating an opportunity for attackers to save and share “View Once” media.

Buy Me A Coffee

Zengo researchers discovered that Meta’s implementation of the feature was “neglectful,” making it easier for malicious actors to bypass the one-time viewing restriction. The researchers revealed that encrypted media sent via the “View Once” feature can still be accessed on all of a recipient’s devices. These messages include a URL to WhatsApp’s web server, along with the key needed to decrypt the content, allowing attackers to exploit this information and save the media.

“We disclosed our findings to Meta responsibly, but once we saw this issue was being exploited in the wild, we decided to make it public to protect WhatsApp’s users,” said Tal Be’ery, CTO of Zengo.

READ
Indiana Man Pleads Guilty to $37 Million Cybercrime and Money Laundering Scheme

The discovery raises serious concerns about the reliability of WhatsApp’s privacy features, especially for users who rely on the “View Once” option for sharing sensitive content.

Meta replied to an email from BleepingComputer regarding the bypass, saying they are currently rolling out changes to the View Once feature. While a fix is coming to WhatsApp Web, it is unclear if the privacy flaw could still be exploited using custom WhatsApp apps.