WhatsApp, the world’s leading end-to-end encrypted messaging platform, is facing scrutiny following the discovery of a significant bug that undermines its “View Once” privacy feature. Introduced in 2021, this feature was designed to enhance user privacy by allowing pictures and videos to disappear after being viewed once. However, a newly uncovered vulnerability in WhatsApp’s web application enables malicious users to bypass this function and retain content that was intended to vanish after a single view.
The “View Once” feature on WhatsApp was developed to work exclusively on mobile applications for Android and iOS, warning users who attempt to open “View Once” media on WhatsApp Web or Desktop that they need to switch to their mobile devices. Unfortunately, Tal Be’ery, a cybersecurity researcher and CTO of crypto wallet company Zengo, discovered a critical flaw in WhatsApp’s web app that allows any recipient to bypass the “View Once” restriction.
Be’ery, who has been delving into WhatsApp’s privacy vulnerabilities for several months, published a blog post on September 9, 2024, highlighting this flaw. According to Be’ery, the bug permits malicious users to view and save “View Once” media without triggering the intended privacy safeguards. During a live demonstration for TechCrunch, Be’ery successfully captured and saved a “View Once” picture sent to him via WhatsApp Web.
“The only thing worse than no privacy is a false sense of privacy,” Be’ery noted in his blog post. He expressed concerns that users are misled into believing their communication is secure when it isn’t. “WhatsApp’s ‘View Once’ is a blunt form of false privacy and should either be thoroughly fixed or abandoned,” he added.
Be’ery reported the bug to Meta, WhatsApp’s parent company, through its bug bounty platform on August 26, 2024. In response to TechCrunch’s inquiry, WhatsApp spokesperson Zade Alsawah acknowledged the issue and stated, “We are already in the process of rolling out updates to View Once on web. We continue to encourage users to only send View Once messages to people they know and trust.” However, the company has not provided a specific timeline for when the fix will be fully deployed.
It is worth noting that Be’ery is not the first to identify this loophole. TechCrunch has identified numerous browser extensions that make bypassing the “View Once” feature on WhatsApp Web trivially easy. There have also been active discussions on various social media platforms outlining methods to exploit this vulnerability, amplifying the potential risk.
10 Tips to Avoid Such Threats in the Future
- Use Trusted Devices Only: Always use WhatsApp on mobile devices to ensure “View Once” messages work as intended.
- Verify Recipients: Only send sensitive media to people you know and trust. Avoid sending “View Once” messages to unknown or unverified contacts.
- Be Aware of Privacy Limitations: Understand that even features meant for privacy can have vulnerabilities. Remain cautious with sensitive content.
- Update WhatsApp Regularly: Ensure you are using the latest version of WhatsApp on all your devices to get the most recent security patches and updates.
- Avoid Clicking on Suspicious Links: Never click on links from unknown sources, which could lead to browser extensions designed to bypass WhatsApp’s security.
- Disable WhatsApp Web if Not in Use: If you do not need to use WhatsApp on the web, consider disabling it to minimize the risk of potential exploits.
- Use Additional Encryption Tools: Consider using additional encryption tools or apps that provide higher privacy and security for extremely sensitive content.
- Stay Informed About Security Updates: Follow security news and updates from reputable sources like TechCrunch to stay informed about any newly discovered vulnerabilities.
- Participate in Security Awareness Programs: Regularly engage in cybersecurity training to learn about emerging threats and how to protect yourself online.
- Report Suspicious Activity: Immediately report any suspicious activities or potential security vulnerabilities to WhatsApp or relevant authorities.
Conclusion
The recent discovery of a vulnerability in WhatsApp’s “View Once” feature serves as a stark reminder of the limitations of digital privacy tools. While WhatsApp works on rolling out updates to address this issue, users must remain vigilant and cautious. As cyber threats evolve, so must our understanding of the potential risks associated with digital communication platforms. Staying informed, cautious, and proactive is key to maintaining personal privacy and security in today’s interconnected world.
Source: Techcrunch
Want to stay on top of cybersecurity news? Follow us on Facebook – X (Twitter) – Instagram – LinkedIn – for the latest threats, insights, and updates!