News: 1733815809

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

WhatsApp finally fixes View Once flaw that allowed theft of supposedly vanishing pics

(2024/12/10)


WhatsApp has fixed a problem with its View Once feature, designed to protect people's privacy with automatically disappearing pictures and videos.

View Once was [1]introduced in 2021, enabling media to delete itself after being opened. However, that privacy mechanism was flawed and could be "trivially bypassed" when using the web app and a rogue browser extension, [2]according to the researchers who discovered this weakness in August and responsibly disclosed the issue to WhatsApp.

WhatsApp put out a quick fix – but it was [3]less than perfect and would still allow images to be viewed even after they were supposed to have vanished. Now, the biz claims the issue has been resolved with a software update.

[4]

"We're constantly building in layers of privacy protection, and that includes rolling out key updates to View Once on web," a WhatsApp spokesperson told The Register . "As always, we continue to encourage users to only send view once messages to people they know and trust, and make sure they're on the latest version of the app."

[5]WhatsApp still working on making View Once chats actually disappear for all

[6]WhatsApp's 'View Once' could be 'View Whenever' due to a flaw

[7]WhatsApp may expose the OS you use to run it – which could expose you to crooks

[8]India slaps Meta with five-year ban on sharing info from WhatsApp for ads

The initial issue, discovered by folks at crypto wallet startup Zengo, allowed "View Once" messages to be accessed by web clients that didn't adhere to the app's disappearing messages protocol. Several developers wrote browser extensions that would ignore the View Once command and keep a copy of the media the messages contained.

Though Zengo co-founder Tal Be'ery nit-picked the latest fix, which prevents browser extensions from getting media sent in vanishing messages, he [9]acknowledged the update is a "great improvement with respect to the original starting point. We are happy that our discoveries and publications pushed WhatsApp into fixing View Once in a thorough manner to protect this feature's users' privacy." ®

Get our [10]Tech Resources



[1] https://blog.whatsapp.com/view-once-photos-and-videos-on-whatsapp

[2] https://www.theregister.com/2024/09/09/whatsapp_view_once_flaw/

[3] https://www.theregister.com/2024/09/18/whatsapp_view_once_flaw_unfixed/

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z1gfVFPLBgOPLAjC-o5GawAAAEw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[5] https://www.theregister.com/2024/09/18/whatsapp_view_once_flaw_unfixed/

[6] https://www.theregister.com/2024/09/09/whatsapp_view_once_flaw/

[7] https://www.theregister.com/2024/10/16/whatsapp_privacy_concerns/

[8] https://www.theregister.com/2024/11/19/india_whatsapp_data_sharing_sanctions/

[9] https://medium.com/@TalBeerySec/metas-data-meta-s-whatsapp-fix-for-view-once-and-its-impact-on-metadata-f88df5afe8c3

[10] https://whitepapers.theregister.com/



It's a Meta service...

Scotech

Who on earth is seriously expecting a corporation who's whole business model is founded on over-sharing to give much of a crap about privacy? The way I see it, this is a downgrade in security, as it now means additional metadata is being hoovered up by Meta. All so... What? The user gets better protection against their recipient keeping a copy of something sent to them? Here's a bright idea... If you don't want someone to be able to keep a copy, maybe think twice about sending it to them in the first place? Or have Meta found a way to prevent me pointing a camera at my device's screen and making a copy the old-fashioned way?

Lee D

40 years on and we're still pretending that the analogue hole doesn't exist.

Dave K

I was wondering that as well. How do you stop someone from using the snipping tool to grab a copy?

petef

[1]Dilbert on Camera Phone Banning

[1] https://taoofmac.com/space/blog/2004/11/14/1750

"Dilbert on Camera Banning"

Bebu sa Ware

Is the cartoonist uncancelled now?

Delivered the impossible

sabroni

Seems unlikely.

If the image is on screen then a camera can take a photo of it. There is no way to let someone see an image without letting them see it.

Dissapointing to see el reg publish this story without it's usual snark. Sounds like you believe the "view once" bollocks too.

mark l 2

The amount of pron website with leaked Snapchat pics shows that no matter what technical measures these app puts in place to stop people saving the 'one time view' pictures and videos, someone who is determined to keep them can easily bypass them.

Chat apps that are offered for free and primarily exist to hoover up their users data to sell ads to aren't going to go to the lengths that movie do to try keep their content from getting leaked with DRM, HDCP etc. And even then that doesn't the latest films being available to download online from torrent sites within hours of them being released, so the question is why bother in the first place?

View Once

Bebu sa Ware

I supposed if every phone had a decent laser you might guarantee the recipient only views the image once but then they wouldn't be able to view anything else afterwards.

I was wondering if an image could be randomly be split into 25 separate frames that individually look like noise but when presented sequentially in one second are perceived by the viewer as the original image thanks to the persistence of vision. Even then just capturing all the frames allows the image to be reconstructed.

As a previous comment noted if a person posted a photograph that they really didn't want anyone to retain a copy they are a bit lacking in the upstairs department. Pretty obvious if it's not ok for years then it's not ok for only seconds.

If you voluntarily surrender privacy for seconds or minutes then it's a bit like virginity you don't get it back (crudely put you're f....)

"We're constantly building in layers of privacy protection"

Pascal Monett

That's rich, coming from Meta, a company who is constantly trying to find new ways to invade user privacy.

And, given that since Windows 1 0 there is Ctrl-Win-Shift to grab anything on screen, all of this argument is only valid for people who use Facebook on their smartphone.

I've heard that the youngsters have abandoned Facebook, so it's only the older generation that is using it - and they generally don't like smartphones, right ?

My layer of protection is Firefox + NoScript + Ublock Origin. You go ahead and try to beat that, Meta.

Sentimentality -- that's what we call the sentiment we don't share.
-- Graham Greene