A fix deployed by Meta to stop people repeatedly viewing WhatsApp’s so-called View Once messages – photos, videos, and voice recordings that disappear from chats after a recipient sees them – has been defeated in less than a week by white-hat hackers.
View Once was introduced in August 2021 as an optional privacy measure. But last week security flaw finders at cryptowallet startup Zengo went public with ways to revive self-destructed View Once material.
Zengo used Meta's bug bounty program in August to report the security weakness to WhatsApp, and heard nothing back. After spotting multiple pieces of software that were designed to exploit this flaw and harvest supposedly self-destructing pictures, the crypto concern publicly disclosed the details.
WhatsApp then tweaked its code a few days later to make it harder to get around the View Once protections, and at first it appeared to have worked - the GitHub sites hosting the exploit code started getting messages complaining the content-saving extensions no longer worked.
Zengo re-investigated the issue and found that update by Meta wasn't enough and that the core issue allowing miscreants to re-open View Once data was still there.
- WhatsApp's 'View Once' could be 'View Whenever' due to a flaw
- Meta accused of snarfing people's Snapchat data via traffic decryption
- Researchers find Meta's withdrawal of misinformation tool hard to swallow
- Venerable ICQ messaging service to end operations in June
"While generally the fix was a good initial step in the right direction by Meta’s WhatsApp, it is still not enough," Zengo cofounder Tal Be'ery wrote in an explainer on Monday.
"The core issue of the View Once media message containing all the information required to view it, in an environment that should not be able to show it, still remains unsolved. To bypass the fix, exploiters just need to go 'upstream' and toggle the View Once flag to false when it is received by the app and before it is stored in the database."
The video below shows this is not a terrifyingly complex feat to achieve.
"We have shown it can be done," Be'ery told The Register. "So we assume others will be able to do that too."
Sure enough, one of the developers of a View Once exploit has confirmed they have found a mechanism to get around the updated WhatsApp code and will be publishing a new extension shortly.
The fundamental problem is that these supposedly evaporating messages are still being sent to platforms that shouldn't be getting them, Be'ery said. Until Meta changes that, the problem looks likely to persist. He said he was also disappointed that after all this Meta still hadn't got in touch with Zengo, despite its bug bounty terms of service promising frequent communication on submissions.
Meta declined to comment to The Register.
Sources familiar with the situation, however, told us the fix was only meant to be an interim measure and a more comprehensive code revamp is under way. ®