WhatsApp fixed a bug that allowed malicious users to save pictures and videos that were supposed to be viewed only once and then vanish.
In September, TechCrunch reported that a bug in the implementation of the “View Once” privacy feature allowed people using WhatsApp’s browser-based web app to display and then keep the picture or video. The View Once feature is designed to prevent recipients from saving, sharing, forwarding, copying, and even screenshotting or screen recording media sent as “View Once,” given that in normal circumstances, the pictures or videos disappear after being viewed.
On Friday, WhatsApp spokesperson Zade Alsawah told TechCrunch that the company has rolled out a longer-term fix that resolved the issue.
“We’re constantly building in layers of privacy protection, and that includes rolling out key updates to view once on web,” Alsawah said in an email. “As always, we continue to encourage users to only send View Once messages to people they know and trust, and make sure they’re on the latest version of the app.”
Contact Us
Do you have more information about bugs in WhatsApp or other messaging apps? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
Tal Be’ery, a security researcher, who has been looking into WhatsApp’s privacy issues this year, alerted WhatsApp and TechCrunch of the bug. But Be’ery wasn’t the only one who found the flaw. When he found it, there were also several browser extensions and posts on social media that advertised easy solutions to circumvent the privacy feature, allowing users to just install an extension and automatically be able to display and save media sent as View Once.
After WhatsApp’s fix, which appears to have been pushed in the last couple of weeks, users of those browser extensions, some of which require a paid subscription, are complaining that they don’t work anymore. “Does not work AT ALL. Don’t waste your time” complained one user.
Now, in a test performed by TechCrunch on Friday, when we received a View Once Message on WhatsApp’s web app, the app displayed the following message, which is the same message that it usually displays on the desktop app.
In another test performed by TechCrunch and Be’ery last week, the researcher saw a different message: “Waiting for this message. Check your phone.”
In any case, Be’ery wasn’t able to save the picture using the technique he has been using for months. “Sometimes, when a vulnerability is exploited in the wild, a responsible disclosure is to go public,” Tal Be’ery told TechCrunch. “We are very happy that our research and publication drove WhatsApp to fix the issue and protect the privacy of their users.”
Be’ery, who is the CTO and co-founder of crypto wallet Zengo, published a blog post on Monday analyzing the fix.
View Once was launched in 2021 and is designed to work only on WhatsApp’s iOS and Android apps, and not on the web or desktop app.
