How WhatsApp's ‘View Once’ Feature Isn't as Secure as You Think

A recent cybersecurity development puts WhatsApp user privacy in the spotlight, as one of the popular messaging app’s features has been shown to have a significant flaw.

WhatsApp ‘View Once’ Bypassed by Researchers

WhatsApp boasts a privacy-focused feature meant to make photos, videos, voice messages and other media content viewable only once by the recipient. However, security experts discovered that a flaw in WhatsApp’s web app could render the feature useless.

Tal Be’ery and the Zengo X Research Team have pointed out that this privacy setting could be easily bypassed on platforms other than the mobile app, such as WhatsApp Web. The researchers have shown that, with simple modifications, users could permanently bypass the ephemeral nature of “View Once” media, making it not only fail to disappear, but also allowing them to save it, redisplay it, or forward it to others.

WhatsApp Web Handles Temporary Content as Regular Media

The technical issue stems from the fact that “View Once” media are handled like regular media, with only a simple flag preventing further viewing. However, attackers could alter this flag from “true” to “false,” rendering the media accessible indefinitely.

Threat actors could exploit this vulnerability using either patched mobile clients or web extensions that modify the genuine WhatsApp Web experience.

Despite the serious privacy implications, the problem persists mainly due to WhatsApp’s lack of a robust Digital Rights Management (DRM) system that could enforce stricter access control and verification mechanisms.

DRM Mechanism Among Proposed Fixes

Researchers proposed two possible fixes: implementing a comprehensive DRM mechanism that includes hardware verification, or restricting “View Once” messages solely to the primary devices, such as mobile phones, which would reduce, but not eliminate, the risk.

The second suggested fix would eliminate the “View Once” feature from companion linked devices (primarily web and desktop apps), but it would only defeat extensions and wouldn’t eliminate the issue from patched mobile clients.

WhatsApp Has Yet to Address the Vulnerability

WhatsApp has yet to disclose plans to address this vulnerability, leaving many users questioning the reliability of privacy features in popular communication apps. In light of these findings, users should remain cautious about sending sensitive information through “View Once” until WhatsApp provides a solution to ensure true privacy protection.

It’s also crucial for people to understand the risks associated with digital communication tools and take steps to safeguard their personal data. Our guide on digital privacy can provide essential strategies to protect your sensitive data from being exposed to intrusions.