WhatsApp still working on making View Once chats actually disappear for all

Updated Meta's efforts to stop people repeatedly viewing WhatsApp’s so-called View Once messages – photos, videos, and voice recordings that disappear from chats after a recipient sees them – so far remain incomplete.

An interim fix deployed to stop people keeping hold of View Once data has been defeated in less than a week by white-hat hackers. WhatsApp says it's still working on addressing the vulnerability in full and changes made so far are stop-gap measures.

View Once was introduced in August 2021 as an optional privacy measure. But last week security flaw finders at cryptowallet startup Zengo went public with ways to revive seemingly self-destructed View Once material.

Zengo used Meta's bug bounty program in August to report the security weakness to WhatsApp, and heard nothing back. After spotting multiple pieces of software that were designed to exploit this flaw and harvest supposedly self-destructing pictures, the crypto concern publicly disclosed the details.

Essentially, the API servers treat View Once messages as normal messages but with a flag on them saying: Please only show this once. A rogue app or browser extension able to talk to those servers could just ignore that request, allowing the user to keep the data.

As a result of the disclosure, WhatsApp tweaked its code a few days later to make it harder to get around the View Once requirements, and at first it appeared to have worked. Users of browser extensions that exploited the initial weakness to circumvent View Once complained their content-saving tools no longer worked.

Zengo re-investigated the issue and confirmed the update by Meta was incomplete, and said the root vulnerability allowing miscreants to keep View Once data was still there.

• WhatsApp's 'View Once' could be 'View Whenever' due to a flaw
• Meta accused of snarfing people's Snapchat data via traffic decryption
• Researchers find Meta's withdrawal of misinformation tool hard to swallow
• Venerable ICQ messaging service to end operations in June

"While generally the fix was a good initial step in the right direction by Meta’s WhatsApp, it is still not enough," Zengo cofounder Tal Be'ery wrote in an explainer on Monday. "The core issue of the View Once media message containing all the information required to view it, in an environment that should not be able to show it, still remains unsolved."

As we said, the problem is that if you're able to make a client that imitates an official WhatsApp app, or able to manipulate the WhatsApp web app with an extension, the API service will trust your program to do the right thing when it receives a View Once message.

Though your humble vulture will refrain from going into too much detail about a not-fully-patched privacy hole at this stage, the video below shows this is not a terrifyingly complex shortcoming to exploit.

"We have shown it can be done," Be'ery told The Register. "So we assume others will be able to do that too."

Sure enough, one of the developers of a View Once exploit confirmed they have found a method to get around the updated WhatsApp code and will be publishing a new browser extension shortly.

The fundamental problem is that these supposedly evaporating messages are still being sent to platforms that shouldn't be getting them, Be'ery said. Until Meta changes that, the problem looks likely to persist. He said he was also disappointed that after all this Meta still hadn't got in touch with Zengo, despite its bug bounty terms of service promising frequent communication on submissions.

Meta declined to comment to The Register.

Sources familiar with the situation, however, told us the fix implemented to date was only meant to be an interim measure and a more comprehensive code revamp is under way. ®

Updated to add at 1815 UTC on September 18

Meta has assured us it's still working on addressing the privacy shortcomings reported by Zengo, and that's why the fix is so far incomplete. "As we said before, we are in the process of rolling out updates to View Once on web. Those additional updates are forthcoming," a spokesperson for WhatsApp told The Register.

Be'ery meanwhile said he was disappointingly awarded zero dollars by Meta's bug bounty program for pointing out a circumvention of WhatsApp's disappearing-messages feature that was being actively exploited in the wild.

That's because, according to Meta, the biz was already aware of the security failing and was trying to address it when he disclosed the issue to them.

Be'ery believes WhatsApp will try to fix this snafu by killing off View Once for its web client, thus stopping browser extension-based exploitation, though modified WhatsApp Android apps that ignore the View Once requirements, for example, will continue to be able to harvest supposedly self-destructing messages.