WhatsApp, the most popular end-to-end encrypted messaging app in the world with more than two billion users, allows users to exchange pictures and videos that disappear soon after opening.
But a bug in how WhatsApp implements its so-called “View Once” feature in its browser-based web app allows any malicious recipient to display and save the picture and video, which should vanish immediately after being viewed.
The “View Once” feature is designed to work only on WhatsApp’s mobile apps on Android and iOS. WhatsApp rolled out the feature in 2021.
In typical circumstances, when a user receives a “View Once” picture or video while using WhatsApp on the desktop app or on the web app, the user will see a warning that the picture or video can only be opened using WhatsApp on their phone.
As an added privacy protection, WhatsApp prevents users from taking screenshots or screen recordings of “View Once” pictures and videos in its Android and iOS apps.
Tal Be’ery, a security researcher who has been researching WhatsApp privacy issues for several months, recently discovered the bug. On Monday, Be’ery published a blog post detailing his findings.
Be’ery provided TechCrunch with a live demo of the bug last week, in which he showed he was able to capture and save a copy of a picture that TechCrunch sent as “View Once,” while he was using WhatsApp on the web.
“The only thing that is worse than no privacy, is a false sense of privacy in which users are led to believe some forms of communication are private when in fact they are not,” said Be’ery, who is the CTO and co-founder of crypto wallet Zengo, in his blog post. “Currently, WhatsApp’s ‘View Once’ is a blunt form of false privacy and should either be thoroughly fixed or abandoned,” wrote Be’ery.
Contact Us
Do you have more information about bugs in WhatsApp or other messaging apps? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
Be’ery reported the bug to WhatsApp’s parent company Meta through its official bug bounty platform on August 26.
In response to TechCrunch’s request for comment last week, and days after Be’ery filed his bug report, WhatsApp spokesperson Zade Alsawah sent a statement: “We are already in the process of rolling out updates to view once on web. We continue to encourage users to only send view once messages to people they know and trust.”
Be’ery is not the first person to find out about this bug. Be’ery and TechCrunch saw posts promoting multiple browser extensions that make it trivially easy to bypass the “View Once” feature while using WhatsApp’s web app. TechCrunch has also seen active discussions on how to bypass the feature on social media. TechCrunch is not linking to the posts as to not aid malicious actors in exploiting the bug.
WhatsApp did not provide a timeline for when it plans to complete its updates to View Once.