WhatsApp appears to have fixed issues with its “View Once” privacy feature that previously let users bypass the protection.
First introduced in 2021, WhatsApp’s View Once allows you to send self-destructing messages, photos, and videos for maximum privacy. The feature also prevents the receiver from forwarding or saving the messages, with screenshots being blocked as well.
Last August, however, a security researcher found a bug that let people using WhatsApp’s desktop app save the disappearing messages, de-facto bypassing the View Once feature. On Friday, December 6, 2024, the company confirmed to TechCrunch it “rolled out a longer-term fix that resolved the issue.”
WhatsApp’s solution is welcomed but “isn’t perfect” as it increases the amount of unencrypted metadata which might bring further privacy risks for users.
A “great improvement,” but an impact on metadata
“We’re constantly building in layers of privacy protection, and that includes rolling out key updates to view once on web,” WhatsApp spokesperson Zade Alsawah told TechCrunch.
Alsawah recommends everyone update the encrypted messaging app to the latest version which addresses the security vulnerability. He also suggests sending View Once messages only to people you know and trust.
Tal Be’ery, the security researcher who first reported the issues with the View Once feature, welcomed WhatsApp’s update with a post on X (see tweet below).
He wrote: “The fix indeed addresses the root cause properly, so we are happy we were able to make the world a little safer!”
1/ @WhatsApp has silently fixed the View Once issue we reported a few months ago.The fix indeed addresses the root cause properly, so we are happy we were able to make the world a little safer! The fix itself is technically interesting…🧵👇 https://t.co/a4dhgl8o96December 9, 2024
However, as Be’ery explains, the provider managed to fix the privacy flaw by adding a “View Once” flag to the messages’ unencrypted metadata.
This means that the provider’s solution de facto increases the amount of unencrypted metadata exposed to the WhatsApp Server. This could open up other potential privacy risks, noted the expert.
“The fix highlights the known, yet often overlooked, fact that E2EE protects messages’ content but not their metadata,” wrote Be’ery. “WhatsApp traded-off user increased privacy against receiver unauthorized View Once content access, against reduced privacy for unauthorized View Once metadata access on WhatsApp server.”
We’ve previously reported on how metadata collection may be a problem for WhatsApp’s users’ privacy as surveillance techniques get increasingly more sophisticated. That said, “While this fix is not perfect, we still consider it as a great improvement with respect to the original starting point,” concluded Be’ery.