WhatsApp has fixed a bug that could allow malicious users to save photos and videos that were meant to be viewed only once and then disappear.
TechCrunch reported in September that a bug in the implementation of the “View Once” privacy feature could allow users using WhatsApp's browser-based web app to view and save photos and videos. The View Once feature allows recipients to save, share, forward, copy, or even take screenshots or screen recordings of media sent as a “View Once”, since under normal circumstances photos and videos disappear after viewing. It is designed to prevent this.
On Friday, WhatsApp spokesperson Zade Alswah told TechCrunch that the company has rolled out a long-term fix that resolves the issue.
“We are constantly building layers of privacy protection, including rolling out important updates that can only be viewed once on the web,” Alsawa said in an email. “As always, we continue to encourage users to only send View Once messages to people they know and trust, and to ensure they're using the latest version of the app.”
Contact Us Do you have more information about bugs in WhatsApp or other messaging apps? From a non-work device, securely contact Lorenzo Franceschi-Bicchierai on Signal (+1 917 257 1382) or on Telegram and Keybase @lorenzofb or by email You can contact me. You can also contact TechCrunch via SecureDrop.
Security researcher Tal Be'ery, who has been investigating WhatsApp's privacy issues this year, alerted WhatsApp and TechCrunch to the bug. But Be'ery wasn't the only one to find flaws. When he found it, there were also several browser extensions and social media posts promoting easy solutions to circumvent the privacy features. This allows users to automatically view and save media sent as View Once by simply installing the extension.
Users of these browser extensions, some of which require paid subscriptions, are complaining that they no longer work after a fix to WhatsApp that appears to have been pushed in the past few weeks. “It doesn't work at all. Don't waste your time,” complained one user.
Now, in a test conducted by TechCrunch on Friday, when a View Once message was received on the WhatsApp web app, the app displayed the following message: This is the same message that normally appears in desktop apps.
An alert that WhatsApp displays on the desktop and web apps when a user receives “View Once” media. (Image credit: TechCrunch/Screenshot)
In another test conducted by TechCrunch and Be'ery last week, researchers confirmed a different message. “We are waiting for this message. Please check your phone.”
In any case, Berry was unable to save the photo using the techniques he had been using for months. “In some cases, if a vulnerability were to be exploited in the wild, responsible disclosure would be responsible disclosure,” Tal Be'ery told TechCrunch. “We are very pleased that our investigation and publication enabled WhatsApp to resolve the issue and protect the privacy of its users.”
Be'ery, CTO and co-founder of cryptocurrency wallet Zengo, published a blog post analyzing the fix on Monday.
View Once was released in 2021 and is designed to work only with WhatsApp's iOS and Android apps, not the web or desktop apps.