WhatsApp, the preferred end-to-end encrypted messaging app on the earth with greater than two billion customers, permits customers to trade footage and movies that disappear quickly after opening.
However a bug in how WhatsApp implements its so-called “View Once” characteristic in its browser-based internet app permits any malicious recipient to show and save the image and video, which ought to vanish instantly after being seen.
The “View Once” characteristic is designed to work solely on WhatsApp’s cell apps on Android and iOS. WhatsApp rolled out the characteristic in 2021.
In typical circumstances, when a consumer receives a “View Once” image or video whereas utilizing WhatsApp on the desktop app or on the internet app, the consumer will see a warning that the image or video can solely be opened utilizing WhatsApp on their telephone.
As an added privateness safety, WhatsApp prevents customers from taking screenshots or display recordings of “View Once” footage and movies in its Android and iOS apps.
Tal Be’ery, a safety researcher who has been researching WhatsApp privateness points for a number of months, just lately found the bug. On Monday, Be’ery revealed a weblog put up detailing his findings.
Be’ery offered TechCrunch with a dwell demo of the bug final week, during which he confirmed he was in a position to seize and save a replica of an image that TechCrunch despatched as “View Once,” whereas he was utilizing WhatsApp on the internet.
“The only thing that is worse than no privacy, is a false sense of privacy in which users are led to believe some forms of communication are private when in fact they are not,” stated Be’ery, who’s the CTO and co-founder of crypto pockets Zengo, in his weblog put up. “Currently, WhatsApp’s ‘View Once’ is a blunt form of false privacy and should either be thoroughly fixed or abandoned,” wrote Be’ery.
Contact Us
Do you’ve gotten extra details about bugs in WhatsApp or different messaging apps? From a non-work gadget, you possibly can contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or by way of Telegram and Keybase @lorenzofb, or e mail. You can also contact TechCrunch by way of SecureDrop.
Be’ery reported the bug to WhatsApp’s mother or father firm Meta by means of its official bug bounty platform on August 26.
In response to TechCrunch’s request for remark final week, and days after Be’ery filed his bug report, WhatsApp spokesperson Zade Alsawah despatched a press release: “We are already in the process of rolling out updates to view once on web. We continue to encourage users to only send view once messages to people they know and trust.”
Be’ery shouldn’t be the primary particular person to seek out out about this bug. Be’ery and TechCrunch noticed posts selling a number of browser extensions that make it trivially simple to bypass the “View Once” characteristic whereas utilizing WhatsApp’s internet app. TechCrunch has additionally seen lively discussions on easy methods to bypass the characteristic on social media. TechCrunch shouldn’t be linking to the posts as to not assist malicious actors in exploiting the bug.
WhatsApp didn’t present a timeline for when it plans to finish its updates to View As soon as.
