TL;DR: As part of our ongoing security research and countdown to our industry-defining Zengo Desktop‘s full launch, we have identified a critical privacy flaw in Meta’s WhatsApp, the world’s most popular Instant Messaging (IM) app.
The Zengo X Research Team has discovered that WhatsApp’s View Once media feature, intended for increased privacy, is completely broken and can be trivially bypassed. We had responsibly disclosed our findings to Meta, but when we realized the issue is already exploited in the wild, we decided to make it public to protect the privacy of WhatsApp’s users. A more technical version of this blog can be found here.
IM apps and Crypto Wallets
Smart engineers know the best way to get results is to look for comparables and not reinvent the wheel. This is especially true for security engineering in which acquiring the robustness of existing and battle tested solutions is highly advantageous.
As we continue to develop the world’s pioneering MPC crypto wallet, the Zengo X Research Team is looking into its closest-living relative, the Instant Messaging (IM) apps domain. As a result of such research we were able to identify and report important privacy issues in the past.
When we designed Zengo’s newly-launched web interface Zengo Desktop as a recent addition to Zengo’s long standing mobile solution, we wanted to take inspiration from IMs and their most popular representative, Meta’s WhatsApp, because they are arguably the most popular mobile-first consumer app that added additional platforms (web, desktop) later on. We were especially interested in the way that WhatsApp supports features that are only possible on the more controlled and secure Mobile platform. Therefore we set our sights on the “View once” media feature.
WhatsApp Mac desktop app: view once is not supported
Whatsapp View Once intro
According to WhatsApp official docs:
“You can send photos, videos, and voice messages that disappear from a chat after the recipient has opened them once. This is known as send as view once.
View once media
View once photos and videos won’t be saved to the recipient’s Photos or Gallery. They won’t be able to forward, share, or copy them. Recipients also won’t be able to take a screenshot or screen recording of your view once media. It’s still possible for someone to take a photo or video of the media, for example with a camera or another device, before it disappears.”
The “View once” feature is marketed by WhatsApp as a privacy feature and WhatsApp invested some engineering efforts in order to enhance its privacy so it would not be trivially bypassed with screenshots.
“View once” explained within the WhatsApp application (Screenshot taken on August 2024)
Therefore, the “View once” feature is only enabled by WhatsApp on platforms in which the app can use the operating system to control features that allow content copy such as copying or taking screenshots to prevent trivial bypassing of the policy. This limits the “View once” functionality mostly to mobile platforms, while on most desktop and web platforms users get a message that this type of message is not supported.
Issues with WhatsApp implementation
When we looked into the implementation details we were very surprised to find that although “View once” is meant to be limited to platforms in which the app can control its displayed content and prevent other processes from abusing it, it is not enforced by WhatsApp’s API server. As a result, a client on any platform can download the message and make the “View once” promise void.
Specifically:
- The View Once messages are sent to all of the receiver’s devices, including the ones that are not allowed to display it, such as Web applications that can be easily (no jailbreak and binary patching are required) modified, e.g. via browser extension.
- The View once media messages are technically the same as regular media messages, only with the “view once” flag set. Which means it’s the virtual equivalent of putting a note on the picture that says “don’t look”. All that is required for attackers to circumvent it, is merely to set this flag to false and the “view once” media immediately becomes “regular” media and can be downloaded, forwarded and shared.
- Given its media URL, the View once media can be downloaded by any client, no authentication is needed (reader still needs the decryption key sent with the message). Again making the task of limiting the exposure of the media to controlled environments and platforms impossible
- Some versions of the View once messages contain a low-quality preview of the media that can be used to view the picture even without downloading it.
- View once messages are not immediately deleted from WhatsApp server after being downloaded and stay accessible for 2 weeks’ time. One would expect the server to immediately delete the view once media, once it had been downloaded.
There are more issues with the implementation, but since it is so broken as is, there is no point in specifying them all.
A more technical version of this blog can be found here.
Bypassing the View once limitation
To prove our insight that View once can be easily bypassed, we built our own unofficial WhatsApp client app based on Baileys, an open source implementation of WhatsApp Web API client and reported our findings to Meta.
Our multiple reports to Meta’s security program
Later on, we found out that others had found this issue earlier this year, and exploited it in a more elegant way by leveraging the existing client code and just switching the message flag of “view once” to false.
Toggling the view once flag github
Their solution is delivered either as a modified WhatsApp Android app or via web extension to modify WhatsApp web. We had experimented with the extension and it seems to work as published as can be seen in the video below.
Some of these projects exist for more than a year according to GitHub’s timetags and seem to be discussed in relevant forums.
A reddit thread earlier this year discussing “only once” pics viewing with extension
Why it matters
One could argue that “view once” is not a secure system by design, as anyone can take another camera and record a video / audio / picture of the “view once” media from the original device.
While this argument is not completely wrong, it’s like comparing “double cassette” copying to MP3 distribution. If you can digitally copy something, it makes distribution dramatically easier and opens new “markets”:
- Quality: previously attackers could only have an “analog” copy (loss of quality etc.) while our new findings provide an exact digital replica.
- Scalability: previously copying cannot be done “at scale” due to the required manual work, while with our new findings it is zero touch, just software that does everything automatically.
- Timeliness: previously attackers had to wait for the whole video / audio to play to record it while with our new findings copying is instant.
- Attribution: if attackers “photo copy” the view once content, it provides clues on how the media was captured and makes attribution easier (“someone just photo-copied it from view once on whatsapp”) while in the case of digital copy the copy is identical to the original so no attribution opportunity there.
- Non-repudiation: Previously users could repudiate and say they did not send this message. Now that the view once media remains in plain sight from the original chat, the original senders can no longer do so.
Summing up: there might be analog ways to re-record this media, but we suggest a digital approach which makes the difference. It’s like comparing “double cassette” copying to MP3 distribution.
Possible solutions
To actually solve this issue, WhatsApp needs to apply a proper Digital Rights Management (DRM) solution that also verifies there is hardware support in place for such DRM. Such frameworks are provided by Android and iOS and other modern Operating Systems.
A less robust but easier solution would be to have the sender send the “view once” message only to the primary device ( mobile ) and not to companion linked devices ( web, desktop). Please note it will only defeat extensions and is not relevant against patched mobile clients.
Summing up
Privacy is critical for Instant Messaging. WhatsApp acknowledged that by supporting End-to-End Encryption (E2EE) for its users’ conversations by default. However, the only thing that is worse than no privacy, is a false sense of privacy in which users are led to believe some forms of communication are private when in fact they are not. Currently, WhatsApp’s View once is a blunt form of false privacy and should either be thoroughly fixed or abandoned.
In Zengo, we avoid such issues by limiting the MPC client shares exposure strictly to the more secure mobile platform, by thus preventing exploits on the less secure platforms (web, desktop).