Meta’s WhatsApp recently faced scrutiny after a significant vulnerability in its “View Once” feature was discovered, allowing attackers to bypass its privacy protections.
This feature, designed to let users send media that can only be viewed once, was found to be easily exploited through modified WhatsApp Web clients.
Although Meta has now implemented fixes, the issue has raised concerns about the effectiveness of privacy measures and the trade-offs involved.
WhatsApp View Once Vulnerability
The “View Once” feature is intended to enhance privacy by preventing recipients from forwarding, sharing, or copying sensitive media.
However, according to researcher Tal Be’ery, the protection could be bypassed using browser extensions that slightly modify WhatsApp’s web.
These extensions ignored the “View Once” flag attached to the media and enabled recipients to save or redistribute it.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
The core of the issue lay in how WhatsApp Web handled such media. Even though “View Once” content was not supposed to appear on web clients, it was still sent to them with a marker indicating its status.
A modified client could simply disregard this flag and access the media without restrictions.
This vulnerability was responsibly disclosed to Meta earlier this year. However, reports emerged in September 2024 that publicly available browser extensions with thousands of users were exploiting the flaw. This prompted researchers to publicly disclose their findings to warn users.
Meta initially released a partial fix in mid-September 2024, addressing some aspects of the problem. However, attackers quickly adapted their tools, rendering the fix ineffective.
In mid-November 2024, Meta rolled out a more robust server-side fix that effectively blocked unauthorized access to “View Once” media on web clients, reads the report.
The updated solution prevents WhatsApp Web from receiving encrypted media for “View Once” messages altogether.
Instead, web clients receive an error message when attempting to access such content. This approach ensures that only authorized devices can display the media.
While the fix resolved the immediate vulnerability, it introduced new concerns about metadata exposure.
Although end-to-end encryption (E2EE) protects message content, metadata—such as sender and recipient IDs and message types—remains visible to WhatsApp servers.
This metadata could potentially be exploited under certain circumstances, raising questions about user privacy.
Additionally, the fix does not address vulnerabilities in modified mobile clients or potential forensic extraction of “View Once” media from other devices linked to a user’s account.
Experts suggest that a more comprehensive solution involving device integrity checks or digital rights management (DRM) may be necessary.
Meta’s response to the “View Once” vulnerability represents a significant improvement in protecting user privacy but highlights the challenges of balancing security and usability.
Users are advised to remain cautious when using sensitive features like “View Once,” as no system is entirely foolproof.
Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses