A recent discovery by cybersecurity researcher Tal Be’ery has uncovered a new way to bypass WhatsApp’s View Once feature. Despite this finding, Meta, the parent company of WhatsApp, has decided not to patch the vulnerability, citing that it involves the use of a modified client application.
Understanding WhatsApp’s View Once Feature
The View Once feature on WhatsApp allows users to send media that disappears after being viewed. It is designed to prevent recipients from saving, forwarding, or capturing the content. However, Be’ery, who is also the co-founder and CTO of Zengo, has identified multiple ways to circumvent this feature over the past years.
Previously, WhatsApp developers patched similar vulnerabilities reported by Be’ery, for which he even received a bug bounty. The latest method, however, involves a modified WhatsApp client which has led Meta to exclude it from their bug bounty coverage.
Meta’s Response to the Bypass
Meta’s stance on the recent vulnerability is that it falls outside their security model. The company argues that it’s nearly impossible to prevent all forms of capturing the View Once media, as users can resort to external devices or modified clients. Consequently, Meta has decided not to patch this particular issue.
Meta clarified that the View Once feature is intended to be an extra privacy measure for media shared between trusted contacts on the official WhatsApp application. The company emphasized that the feature should not be seen as a forensic-grade data deletion tool.
Suggestions for Enhancing Security
To address such bypass vulnerabilities, Be’ery suggests the implementation of a digital rights management (DRM) system. He believes this would help in preventing the misuse of View Once media. However, Meta has expressed concerns over this suggestion, citing potential drawbacks and limitations of DRM in a private messaging context.
Despite the ongoing debate, Meta continues to enhance the security of the View Once feature within its official applications, distinguishing these efforts from vulnerabilities arising due to rogue clients. The company appreciates Be’ery’s contributions but maintains that the involvement of unofficial clients is beyond the scope of its current security measures.
As digital communication tools evolve, the challenge of balancing security and user privacy remains a critical concern. WhatsApp’s ongoing efforts to refine its features demonstrate a commitment to providing a secure platform, while acknowledging the inherent limitations of technology against unauthorized access and exploitation.
