Researchers say a serious security issue threatens the privacy of WhatsApp users. The vulnerability typically affects the ‘View Once’ feature in WhatsApp, which allows an adversary to gain permanent access to the target media without the other user’s knowledge.
Vulnerability in ‘View Once’ feature allows permanent access to WhatsApp media
Security researchers at Zengo discovered a serious security vulnerability in WhatsApp that allowed an attacker to bypass the app’s ‘View Once’ privacy feature. As explained in a afterBe’ery and the team discovered a way to access media content shared on WhatsApp with a ‘View Once’ restriction.
According to Meta, ‘View Once’ is one privacy-focused media sharing feature on WhatsApp which allows the recipient to view and access the shared media only once. Such media (audio messages, videos and photos) automatically disappear from the chat once the recipient opens them, leaving no trace. The recipients cannot download such media on their devices or take screenshots.
While the approach sounds impressive, the researchers proved otherwise, bypassing the privacy feature.
The problem mainly existed because of the way WhatsApp servers handle the ‘View Once’ media. The researchers noticed that WhatsApp servers simply marked the message as ‘View Once’ and shared it across all devices, including those that were not supported for ‘View Once’ messages. Therefore, an adversary could bypass the “viewOnce: true” by changing it to “false”. Once done, the attacker can easily view and download the message on any device, just like a regular WhatsApp message, without further authentication.
Another implementation bug with this feature is keeping ‘View Once’ messages on WhatsApp servers for 2 weeks.
The researchers were able to easily bypass this privacy feature in two ways. First, they built an unofficial WhatsApp client based on the WhatsApp Web API client “Baileys”, linking it to an existing WhatsApp account to download and store ‘View Once’ messages. Second, they could download the encrypted message with any client and later decrypt it via OpenSSL, as demonstrated in the following video.
Meta has fixed the error
After this discovery, the researchers responsibly disclosed the error to Meta. However, after noticing the active exploitation of this flaw, the researchers made the matter public.
For now, there is no official patch to fix this ‘View Once’ vulnerability for WhatsApp users. Nevertheless, according to Bleeping Computer, Meta is likely working on a fix that will be rolled out in future releases. This is what Meta’s statement reads:
Our bug bounty program is a key way we receive valuable feedback from third-party researchers, and we’re already rolling out updates that we can check out on the web. We continue to encourage users to view messages just once to people they know and trust.
Let us know your thoughts in the comments.
