If you’re sending a “View Once” message, photo, or video through WhatsApp, don’t be so sure that the receiver can’t view it again.
Security researchers with crypto wallet ZenGo recently discovered a bug that allowed WhatsApp users to view “View Once” messages as many times as they liked.
In response, WhatsApp patched the issue. But, ZenGo researchers then discovered another exploit in WhatsApp’s fix that once again allowed them to access these messages that had supposedly disappeared.
WhatsApp View Once exploit
WhatsApp launched its View Once feature in 2021. View Once allows users to send texts, photos, and videos that disappear after the recipient initially accesses them.
Furthermore, to ensure the ephemeral nature of these messages, WhatsApp disables screenshots from being used in the app on View Once messages through iOS and Android. In addition, WhatsApp limits View Once messages to the mobile apps only.
However, in a post last week, ZenGo Security Research Manager Tal Be’ery detailed an exploit that allowed his team to access View Once messages over and over again.
Basically, as Be’ery explains, the View Once messages are only restricted from view in the mobile apps after being viewed. The media continues to exist on WhatsApp’s servers. If a user can find the URL for the media file, they can access the message or media file that was supposed to have disappeared.
Be’ery went through the official channels with WhatsApp’s parent company Meta and reported the exploit through their bug bounty program on August 26. It was too late though. Be’ery soon found that the bug was already in the wild, as a Chrome extension popped up allowing users to access their already-viewed View Once messages through WhatsApp’s web app. ZenGo went public with the exploit and published their report last week on Sept. 9.
Meta’s fix and exploit #2
It appears the issue has been taken seriously by Meta, at least after Be’ery went public with the exploit. Meta appears to have released a fix for the WhasApp View Once bug on Sept. 12.
According to a new report by Be’ery, Meta’s patch “changes the way View Once media messages are saved to the application’s databases and redact some of the information that enables the media viewing.”
The fix appears to have broken the previously mentioned “View Once Photos Bypass” Chrome extension as well.
But, the fix is “still not enough,” according to Be’ery and can be exploited with a workaround. In fact, as Be’ery discovered, the creator of the View Once bypass Chrome extension published an update saying that they’ve already discovered a new exploit in order to once again access View Once media.
Be’ery also published a video showing how View Once messages are still accessible.
Mashable reached out to Meta regarding the issue and will update this post when we hear back.
According to The Register, sources familiar with the issue claim that the fix was only meant to be a temporary one as Meta works to completely restructure how View Once messages are handled.
0 Comments