WhatsApp, the world's most popular end-to-end encrypted messaging app with over 2 billion users, allows users to exchange photos and videos that disappear as soon as they are opened.
But a bug in the way WhatsApp implements the so-called “view once” feature on its browser-based web app could allow malicious recipients to view and save photos and videos that are supposed to disappear soon after being viewed.
The “Seen Once” feature is designed to work only on the Android and iOS WhatsApp mobile apps. WhatsApp introduced the feature in 2021.
Typically, when users receive a “view once” photo or video while using WhatsApp on the desktop or web app, they'll be shown a warning that the photo or video can only be opened using WhatsApp on their phone.
The warning that WhatsApp displays on its desktop and web apps when a user receives “view once” media. (Image: TechCrunch/Screenshot)
As an added privacy protection, WhatsApp now prohibits users from taking screenshots or screen recordings of “viewable once” photos and videos on its Android and iOS apps.
WhatsApp will now display a warning on the mobile app if a user tries to take a screenshot of a “view once” photo or video. (Image: TechCrunch)
The bug was recently discovered by security researcher Tal Berry, who has been studying WhatsApp privacy issues for several months, and on Monday published a blog post detailing his findings.
Be'ery provided TechCrunch with a live demo of the bug last week, demonstrating how it allows him to capture and save copies of photos sent as “view once” while using WhatsApp on the web.
“The only thing worse than no privacy is a false sense of privacy that tricks users into believing some of their communications are private when in fact they are not,” Be'ery, CTO and co-founder of crypto wallet Zengo, said in a blog post. “Currently, WhatsApp's 'view once' feature is a blatant form of false privacy and should be thoroughly fixed or scrapped,” Be'ery wrote.
Contact Us Have more information about bugs in WhatsApp or other messaging apps? You can securely contact Lorenzo Franceschi-Bicchierai from a non-work device via Signal (+1 917 257 1382), Telegram, Keybase @lorenzofb, or email. You can also contact TechCrunch via SecureDrop.
Be'ery reported the bug to WhatsApp's parent company Meta through the official bug bounty platform on August 26.
In response to a request for comment from TechCrunch last week, days after Be'ery filed the bug report, WhatsApp spokesperson Zade Alsawah issued a statement: “We're already rolling out an update to enable only-one-time viewing on the web, and we continue to encourage users to only send only-one-time messages to people they know and trust.”
Be'ery is not the first person to discover this bug. Be'ery and TechCrunch saw posts promoting multiple browser extensions that make it easy to circumvent the “view once” feature while using WhatsApp's web app. TechCrunch also saw active discussions on social media about how to circumvent the feature. TechCrunch is not linking to the posts to avoid helping bad actors exploit the bug.
WhatsApp did not provide a timeline for when it plans to complete the View Once update.