WhatsApp Glitch Allows Users to Save Vanishing 'View Once' Photos

A bug in WhatsApp's 'View Once' feature has been revealed by the research team Zengo X, which could allow users to save photos meant to disappear after a single view.

What Is ‘View Once’?

WhatsApp, used by over two billion people, introduced the 'View Once' feature in 2021 to provide a layer of privacy for photos, videos, and voice messages. The idea is that once the media is viewed, it disappears, making it ideal for sharing sensitive content.

This feature is only meant to work on WhatsApp’s mobile app for Android and iOS. If someone receives a 'View Once' message on the desktop or web version of WhatsApp, they are told it can only be viewed on a mobile device. Additionally, WhatsApp blocks users from taking screenshots or recording the media in its mobile app to ensure privacy.

The Problem with ‘View Once’

Despite these security measures, Zengo X found a significant flaw in the WhatsApp web app that lets people bypass the 'View Once' function. Tal Be’ery, a security expert from Zengo X, explained the issue in a blog post, pointing out that it's possible to turn off the 'view once' flag in the media's code. This allows the media to be downloaded and shared, even though it was supposed to vanish after one view.

The flaw also allows the media to be accessed without proper security checks, and in some cases, low-quality previews of the content are shown. Be’ery pointed out that these messages don’t get deleted immediately after viewing, and instead remain on WhatsApp's servers for up to two weeks. This makes it easy for the media to be copied and spread.

Be’ery warned that the biggest concern isn’t just the privacy risk, but the false sense of security users may feel when using the feature. He suggested that WhatsApp should either fix the problem entirely or stop offering the feature. Adding stronger security measures like Digital Rights Management (DRM) or restricting the feature to mobile devices only could help.

WhatsApp’s Response

Zengo X informed Meta, WhatsApp’s parent company, about the flaw. However, it seems Be’ery wasn’t the first to uncover this issue. He found that there were already browser extensions that allowed people to easily bypass the 'View Once' feature. Once he realized that the bug was already being taken advantage of, Zengo X decided to make the information public in order to protect users.

When asked about the bug, WhatsApp responded by stating that they are working on updates to the 'View Once' feature for their web platform. They also advised users to only send 'View Once' messages to people they trust.