A researcher has discovered another method to bypass WhatsApp’s View Once feature, but Meta does not plan to patch it because it involves a modified client application.
The View Once feature enables users to send photos, videos or voice messages that disappear from the chat after they have been viewed by the recipient. In addition, View Once is designed to prevent users from saving, forwarding, or taking screenshots of the content before it disappears.
Tal Be’ery, a reputable researcher and co-founder and CTO of the Zengo cryptocurrency wallet, has found several ways to bypass View Once over the past couple of years, demonstrating how someone could download the file sent via View Once before it vanishes.
Zengo issued a warning in September 2024 after discovering that a bypass reported at the time had been exploited in the wild.
The latest View Once bypass method is the fourth uncovered by Be’ery. The researcher told SecurityWeek that all previously discovered bypass vulnerabilities were eventually patched by WhatsApp developers, and that he received a bug bounty for one of them.
Be’ery has demonstrated the latest method for SecurityWeek and on Wednesday he published a blog post explaining his findings, without sharing technical details to prevent malicious exploitation. The researcher has also shared a video showing the exploit in action.
The exploit involves the use of a modified WhatsApp client. Be’ery pointed out that an attacker could also leverage a browser extension and WhatsApp Web for mass exploitation.
WhatsApp owner Meta has been informed about the vulnerability, but the company indicated it would not patch it. The vendor informed the researcher that the issue falls outside of its security model and is not covered by its bug bounty program, arguing that it’s difficult to completely prevent a user from capturing content sent via View Once, as they can use another phone to take photos or videos of the content, or use a modified WhatsApp client.
Be’ery is displeased that Meta has — in his view — not been consistent in assessing such vulnerabilities, arguing that previously reported issues all involved modified clients and were all patched.
As a solution to View Once bypass methods, the researcher proposes implementing a digital rights management (DRM) system.
“Similar to Netflix, WhatsApp needs to make sure View Once media is not digitally abused by attackers trying to redistribute it and explicitly scope out analog recording as outside its threat model,” Be’ery said. “By doing so, WhatsApp can establish a clear delineation between issues that are included within the security model and those that are not, and concentrate its security resources accordingly.”
Contacted by SecurityWeek, Meta clarified that it considers View Once an additional privacy layer that reduces persistence for media files sent between trusted contacts in the official WhatsApp application.
The company noted that the privacy feature is designed for conversations between people who trust each other and — as communicated to users — it should only be used to send content to trusted contacts and should not be viewed as a forensic-grade data deletion tool.
Meta said it continuously hardens View Once in official clients, but client spoofing and modified clients fall outside the scope of its bug bounty program. The company claims it has been consistent in its assessment of View Once security issues in official clients as opposed to attacks involving rogue clients.
[ Read: Researcher Spotlights WhatsApp Metadata Leak ]
The tech giant said it appreciates Be’ery’s continuous contributions, but in the case of the latest View Once issue the report is out of scope due to the involvement of an unofficial client application.
As for the researcher’s suggestion to use DRM, Meta believes it’s not a good fit for a private messenger’s threat model for several reasons, including the fact that DRM relies on a license server that controls who receives decryption keys. In addition, DRM would still allow someone to record the content on a second device, and the DRM system itself can also be hacked.
Related: WhatsApp Boosts Account Security for At-Risk Individuals
Related: Vulnerability Allowed Scraping of 3.5 Billion WhatsApp Accounts
Related: NPM Package With 56,000 Downloads Steals WhatsApp Credentials, Data
