WhatsApp fix to make View Once chats actually disappear is beaten in less than a week
(2024/09/18)
- Reference: 1726618566
- News link: https://www.theregister.co.uk/2024/09/18/whatsapp_view_once_flaw_unfixed/
- Source link:
A fix deployed by Meta to stop people repeatedly viewing WhatsApp’s so-called View Once messages – photos, videos, and voice recordings that disappear from chats after a recipient sees them – has been defeated in less than a week by white-hat hackers.
View Once was introduced in August 2021 as an optional privacy measure. But last week security flaw finders at cryptowallet startup Zengo [1]went public with ways to revive seemingly self-destructed View Once material.
Zengo used Meta's bug bounty program in August to report the security weakness to WhatsApp, and heard nothing back. After spotting multiple pieces of software that were designed to exploit this flaw and harvest supposedly self-destructing pictures, the crypto concern publicly disclosed the [2]details .
[3]
Essentially, the API servers treated View Once messages as normal messages but with a flag on them saying: Please only show this once. A rogue app able to talk to those servers could just ignore that request.
[4]
[5]
As a result of the disclosure, WhatsApp tweaked its code a few days later to make it harder to get around the View Once requirements, and at first it appeared to have worked - users of software that exploited the initial weakness to circumvent View Once complained their content-saving extensions no longer worked.
Zengo re-investigated the issue and found the update by Meta was incomplete, and that the root vulnerability allowing miscreants to keep View Once data was still there.
[6]WhatsApp's 'View Once' could be 'View Whenever' due to a flaw
[7]Meta accused of snarfing people's Snapchat data via traffic decryption
[8]Researchers find Meta's withdrawal of misinformation tool hard to swallow
[9]Venerable ICQ messaging service to end operations in June
"While generally the fix was a good initial step in the right direction by Meta’s WhatsApp, it is still not enough," Zengo cofounder Tal Be'ery wrote in an [10]explainer on Monday. "The core issue of the View Once media message containing all the information required to view it, in an environment that should not be able to show it, still remains unsolved."
Though your humble vulture will refrain from going into too much detail about a not-fully-patched privacy hole at this stage, the video below shows this is not a terrifyingly complex shortcoming to exploit.
[11]
[12]Youtube Video
"We have shown it can be done," Be'ery told The Register . "So we assume others will be able to do that too."
Sure enough, one of the developers of a View Once exploit confirmed they have found a method to get around the updated WhatsApp code and will be publishing a new extension shortly.
[13]
The fundamental problem is that these supposedly evaporating messages are still being sent to platforms that shouldn't be getting them, Be'ery said. Until Meta changes that, the problem looks likely to persist. He said he was also disappointed that after all this Meta still hadn't got in touch with Zengo, despite its bug bounty terms of service promising frequent communication on submissions.
Meta declined to comment to The Register .
Sources familiar with the situation, however, told us the fix implemented to date was only meant to be an interim measure and a more comprehensive code revamp is under way. ®
Get our [14]Tech Resources
[1] https://www.theregister.com/2024/09/09/whatsapp_view_once_flaw/
[2] https://zengo.com/whatsapps-view-once-privacy-issue/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZupQZUmPa-mykRPC3VWm8gAAAAg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZupQZUmPa-mykRPC3VWm8gAAAAg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZupQZUmPa-mykRPC3VWm8gAAAAg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2024/09/09/whatsapp_view_once_flaw/
[7] https://www.theregister.com/2024/03/27/meta_snapchat_data/
[8] https://www.theregister.com/2024/06/18/metas_decision_to_withdraw_misinformation/
[9] https://www.theregister.com/2024/05/27/icq_end_of_service/
[10] https://medium.com/@TalBeerySec/whatsapp-view-once-privacy-issue-initial-fix-assessment-the-good-the-bad-and-the-ugly-be97ec1cc2e5
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZupQZUmPa-mykRPC3VWm8gAAAAg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://www.youtube.com/watch?v=uEG0mIdUSZ8
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZupQZUmPa-mykRPC3VWm8gAAAAg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/
View Once was introduced in August 2021 as an optional privacy measure. But last week security flaw finders at cryptowallet startup Zengo [1]went public with ways to revive seemingly self-destructed View Once material.
Zengo used Meta's bug bounty program in August to report the security weakness to WhatsApp, and heard nothing back. After spotting multiple pieces of software that were designed to exploit this flaw and harvest supposedly self-destructing pictures, the crypto concern publicly disclosed the [2]details .
[3]
Essentially, the API servers treated View Once messages as normal messages but with a flag on them saying: Please only show this once. A rogue app able to talk to those servers could just ignore that request.
[4]
[5]
As a result of the disclosure, WhatsApp tweaked its code a few days later to make it harder to get around the View Once requirements, and at first it appeared to have worked - users of software that exploited the initial weakness to circumvent View Once complained their content-saving extensions no longer worked.
Zengo re-investigated the issue and found the update by Meta was incomplete, and that the root vulnerability allowing miscreants to keep View Once data was still there.
[6]WhatsApp's 'View Once' could be 'View Whenever' due to a flaw
[7]Meta accused of snarfing people's Snapchat data via traffic decryption
[8]Researchers find Meta's withdrawal of misinformation tool hard to swallow
[9]Venerable ICQ messaging service to end operations in June
"While generally the fix was a good initial step in the right direction by Meta’s WhatsApp, it is still not enough," Zengo cofounder Tal Be'ery wrote in an [10]explainer on Monday. "The core issue of the View Once media message containing all the information required to view it, in an environment that should not be able to show it, still remains unsolved."
Though your humble vulture will refrain from going into too much detail about a not-fully-patched privacy hole at this stage, the video below shows this is not a terrifyingly complex shortcoming to exploit.
[11]
[12]Youtube Video
"We have shown it can be done," Be'ery told The Register . "So we assume others will be able to do that too."
Sure enough, one of the developers of a View Once exploit confirmed they have found a method to get around the updated WhatsApp code and will be publishing a new extension shortly.
[13]
The fundamental problem is that these supposedly evaporating messages are still being sent to platforms that shouldn't be getting them, Be'ery said. Until Meta changes that, the problem looks likely to persist. He said he was also disappointed that after all this Meta still hadn't got in touch with Zengo, despite its bug bounty terms of service promising frequent communication on submissions.
Meta declined to comment to The Register .
Sources familiar with the situation, however, told us the fix implemented to date was only meant to be an interim measure and a more comprehensive code revamp is under way. ®
Get our [14]Tech Resources
[1] https://www.theregister.com/2024/09/09/whatsapp_view_once_flaw/
[2] https://zengo.com/whatsapps-view-once-privacy-issue/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZupQZUmPa-mykRPC3VWm8gAAAAg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZupQZUmPa-mykRPC3VWm8gAAAAg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZupQZUmPa-mykRPC3VWm8gAAAAg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2024/09/09/whatsapp_view_once_flaw/
[7] https://www.theregister.com/2024/03/27/meta_snapchat_data/
[8] https://www.theregister.com/2024/06/18/metas_decision_to_withdraw_misinformation/
[9] https://www.theregister.com/2024/05/27/icq_end_of_service/
[10] https://medium.com/@TalBeerySec/whatsapp-view-once-privacy-issue-initial-fix-assessment-the-good-the-bad-and-the-ugly-be97ec1cc2e5
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZupQZUmPa-mykRPC3VWm8gAAAAg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://www.youtube.com/watch?v=uEG0mIdUSZ8
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZupQZUmPa-mykRPC3VWm8gAAAAg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/
Meta? Privacy?
Please refrain from using those two words in the same paragraph, let alone in the same sentence - unless you precede the latter with "lack of" or "abuse of."