News: 1725920109

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

WhatsApp's 'View Once' could be 'View Whenever' due to a flaw

(2024/09/10)


Video A popular privacy feature in WhatsApp is "completely broken and can be trivially bypassed," according to developers at cryptowallet startup Zengo.

According to cofounder Tal Be'ery, his team was building a web interface when they discovered a flaw in WhatsApp's View Once. While the feature was supposed to be limited to platforms where the necessary controls could be enforced, such as mobile clients, the WhatsApp API server didn't properly enforce it.

The server would still send these messages to other platforms, but they couldn't be viewed - unless someone fiddled with the code.

[1]

"The View [O]nce media messages are technically the same as regular media messages, only with the “view once” flag set," the technical explanation [2]states .

[3]

[4]

"Which means it’s the virtual equivalent of putting a note on the picture that says 'don’t look.' All that is required for attackers to circumvent it, is merely to set this flag to false and the media become regular and can be downloaded, forwarded and shared."

You can see this in operation in the video below:

[5]

[6]Youtube Video

Three years ago, WhatsApp [7]introduced View Once mode, which allows messages to be sent, looked at, and then deleted without the recipient being able to save a screenshot of the message. It's not a perfect system - the recipient can use another camera to take a picture of the message, but it wasn't bad either, and it would stem privacy violations.

Taking the image directly is far more efficient than snapping a photo of it with another phone, Be'ery told The Register , likening it to using a tape-to-tape recording as opposed to the mass sharing of MP3 à la Napster.

[8]

"People can save and copy the image, which invalidates the purpose of the feature. It's privacy theater," he explained. "It's a sloppy design, designed in a very bad way. The design of the whole thing is a dumpster fire."

[9]Meta accused of snarfing people's Snapchat data via traffic decryption

[10]You'll soon be able to ghost a WhatsApp group without making everyone hate you

[11]Researchers find Meta's withdrawal of misinformation tool hard to swallow

[12]WhatsApp, Threads, more banished from Apple App Store in China

Additionally, the Zengo team found code examples on GitHub of a modified Android client and a Chrome extension (should people be dumb enough to take the risk of embedded malware and use them) that could allow anyone to exploit the issue. So the team decided to abandon the usual 90-day waiting period for responsible disclosure and go public.

On August 26, Be'ery's team notified WhatsApp about the issue over two weeks ago via Meta's bug bounty program, and a spokesperson confirmed to us that the problem had been logged and was being investigated.

“Our bug bounty program is an important way we receive valuable feedback from external researchers and we are already in the process of rolling out updates to view once on web," we were told. "We continue to encourage users to only send view once messages to people they know and trust.”

Sources familiar with the matter report that a fix for this is being actively worked on and will be available as soon as it has been successfully tested. ®

Get our [13]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zt_EZSkchalPIihu11rLTgAAAU8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://medium.com/@TalBeerySec/once-and-forever-whatsapps-view-once-functionality-is-broken-302a508390b0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zt_EZSkchalPIihu11rLTgAAAU8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zt_EZSkchalPIihu11rLTgAAAU8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zt_EZSkchalPIihu11rLTgAAAU8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://www.youtube.com/watch?v=GE1z5nnzHvM&t=173s

[7] https://blog.whatsapp.com/view-once-photos-and-videos-on-whatsapp

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zt_EZSkchalPIihu11rLTgAAAU8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[9] https://www.theregister.com/2024/03/27/meta_snapchat_data/

[10] https://www.theregister.com/2022/08/10/whatsapp_group_ghosting/

[11] https://www.theregister.com/2024/06/18/metas_decision_to_withdraw_misinformation/

[12] https://www.theregister.com/2024/04/19/whatsapp_threads_ban_china/

[13] https://whitepapers.theregister.com/



Sora2566

I mean, at the end of the day I'm not sure that this *can* be fixed.

In order for the client to view the message, the server has to send the message to the client. What the client does with the message after that is now out of the sever's control. All the server can do is just not send the message a second time - it can't force the client to forget it.

DoContra

None of these features, in any of these apps, can survive a photo/video camera/screen recorder[1], and for the most part are advertised as such. However, "not even attempting to hide the message from a client we know for a fact can't/won't do the right thing" is very low-hanging fruit, esp. for a platform where all clients are developed in-house[2].

[1]: Cellphone apps will put up a fight against screen recorders when running on hardware/the same VM tho.

[2]: The only "third party apps" I know for Whatsapp straight-up load the web version (Ferdi/Ferdium/etc).

If life isn't what you wanted, have you asked for anything else?