WhatsApp ‘View Once’ Privacy Feature Vulnerability Allows Bypass

• A flaw in the end-to-end encrypted messaging platform WhatsApp lets users circumvent privacy protections.
• Any ill-intended user could view and save media that is supposed to only be viewed once by the recipient.
• A fix for this privacy protocol breach vulnerability is not yet available.

A critical bug has been discovered in the View Once feature of WhatsApp's browser-based web app. The feature is intended to permit sending pictures and videos that disappear after being viewed once by the recipient, enabling malicious users to bypass the intended privacy protections, according to security researchers’ reports.

Typically, the View Once feature, which was rolled out in 2021, warns desktop and web app users that pictures and videos can only be opened on mobile devices. Additionally, the mobile apps for Android and iOS have built-in protections that prevent recipients from taking screenshots or screen recordings of these disappearing messages.

Despite these safeguards, a web app vulnerability lets recipients breach privacy protocols and view and save one-time-view media. Discussions around bypassing the "View Once" feature have appeared on social media and through browser extensions, though specifics are withheld to prevent misuse. 

While WhatsApp has acknowledged the issue, it has not yet provided a timeline for when users can expect a resolution to this vulnerability. Until a fix is implemented, caution is advised when using the "View Once" feature on WhatsApp's web app.

In July, reports said that the latest version of WhatsApp for Windows allows arbitrary code execution without warning the user, permitting Python and PHP execution. It targets users who have already installed Python, such as software developers, with WhatsApp reportedly not planning to block Python scripts from being shared or downloaded. 

Privacy breaches have also been reported in apps from the dating segment, which allow users to learn the location of other users with down to 2 meters of accuracy. Some of these apps showed leaks in API traffic that exposed private user data, and a user with malicious intent could exploit these to monitor unsuspecting users.