Tech News
Hackers Could Bypass WhatsApp ‘View Once’ Due To Vulnerability
Security researchers have uncovered a significant security issue that poses a threat to the privacy of WhatsApp users. This vulnerability primarily affects the ‘View Once’ feature in WhatsApp, allowing a malicious actor to gain persistent access to the target media without the recipient’s knowledge.
Vulnerability In ‘View Once’ Feature Allows Persistent Access To WhatsApp Media
Zengo’s security researchers identified a critical security issue in WhatsApp that enabled an attacker to circumvent the app’s ‘View Once’ privacy feature. In a detailed post, Be’ery and the team revealed a method to access media content shared on WhatsApp with a ‘View Once’ restriction.
According to Meta, ‘View Once’ is a privacy-focused media-sharing feature on WhatsApp that permits the recipient to view and access the shared media only once. Once opened, the media (such as audio messages, videos, and photos) automatically disappears from the chat to leave no trace. Recipients are unable to save the media on their devices or capture screenshots.
Despite the intended privacy protection, the researchers demonstrated how the feature could be bypassed.
The root of the issue lay in how WhatsApp servers handled ‘View Once’ media. The researchers observed that WhatsApp servers simply labeled the message as ‘View Once’ and distributed it to all devices, including those not equipped to handle ‘View Once’ messages. This flaw allowed an attacker to change the ‘viewOnce: true’ flag to ‘false,’ granting them unrestricted access to view and download the message on any device without additional authentication.
Another oversight with this feature was the retention of ‘View Once’ messages on WhatsApp servers for up to 2 weeks.
The researchers identified two methods to bypass this privacy feature. Firstly, they developed an unofficial WhatsApp client using the WhatsApp Web API client “Baileys” to link to an existing WhatsApp account and download ‘View Once’ messages. Secondly, they could download the encrypted message with any client and decrypt it later using OpenSSL, as illustrated in the accompanying video.
Meta Patched The Flaw
Upon discovering this vulnerability, the researchers responsibly disclosed it to Meta. However, due to active exploitation of the flaw, the researchers decided to make the issue public.
As of now, there is no official patch available to address this ‘View Once’ vulnerability for WhatsApp users. Nevertheless, Meta is reportedly working on a fix that will be included in future releases. Meta’s statement regarding the matter reads:
Our bug bounty program is an important way we receive valuable feedback from external researchers and we are already in the process of rolling out updates to view once on web. We continue to encourage users to only send view once messages to people they know and trust.
Share your thoughts in the comments section below.
-
Destination3 months ago
Singapore Airlines CEO set to join board of Air India, BA News, BA
-
Tech News7 months ago
Bangladeshi police agents accused of selling citizens’ personal information on Telegram
-
Motivation6 months ago
The Top 20 Motivational Instagram Accounts to Follow (2024)
-
Guides & Tips5 months ago
Have Unlimited Korean Food at MANY Unlimited Topokki!
-
Guides & Tips5 months ago
Satisfy Your Meat and BBQ Cravings While in Texas
-
Gaming4 months ago
The Criterion Collection announces November 2024 releases, Seven Samurai 4K and more
-
Self Development7 months ago
Don’t Waste Your Time in Anger, Regrets, Worries and Grudges
-
Toys6 months ago
15 of the Best Trike & Tricycles Mums Recommend