close
close

WhatsApp View Once error fixed takes days before it fails • The registry

WhatsApp View Once error fixed takes days before it fails • The registry

A workaround implemented by Meta to prevent people from repeatedly viewing WhatsApp’s so-called View Once messages (photos, videos and voice recordings that disappear from chats after the recipient has seen them) has been bypassed by white-hat hackers in less than a week.

View Once was introduced in August 2021 as an optional privacy measure. But last week, security researchers at crypto wallet startup Zengo came up with ways to revive self-destructed View Once material.

It all stems from View Once relying on digital rights management in iOS, Android, and a few other operating systems to work as expected. Operating systems without that DRM allowed continued access to what should have been View Once content, simply by using the URL of a file sent in a WhatsApp message.

Zengo used Meta’s bug bounty program in August to report the vulnerability to WhatsApp, but heard nothing back. After discovering multiple software programs designed to exploit the flaw and supposedly collect self-destructing images, the crypto firm went public with the details.

A few days later, WhatsApp modified the code to make it harder to bypass the View Once protection. At first, it seemed to work: the GitHub sites hosting the exploit code started receiving reports that the content saving extensions were no longer working.

Zengo reinvestigated the issue and found that the update by Meta was not sufficient and that there were still ways to reopen View Once data.

“While Meta’s WhatsApp fix was a good first step in the right direction, it is still not enough,” Zengo co-founder Tal Be’ery wrote in a statement.

“The core problem of the View Once media message displaying all the information needed to view it, in an environment it shouldn’t be able to display, remains unresolved. To circumvent the solution, operators simply need to go “upstream” and set the View Once flag to false when it is received by the app and before it is stored in the database.”

The video below shows that this is not a terribly complicated task.

YouTube video

“We have shown that it can be done,” Be’ery said The register“We therefore assume that others can do this too.”

And indeed, one of the developers of the View Once exploit has confirmed that they have found a way to bypass the updated WhatsApp code and will be releasing a new extension soon.

The fundamental problem is that these supposedly evaporating messages are still being sent to platforms that shouldn’t be receiving them, Be’ery said. Until Meta changes that, the problem appears set to persist. He also said he was disappointed that Meta still hasn’t reached out to Zengo after all this, despite the bug bounty terms of service that promise frequent communication about submissions.

Meta declined to comment on The register.

However, sources familiar with the situation told us that the fix was only intended as a temporary measure and that a more comprehensive review of the code is underway.