Summary

  • A new vulnerability in WhatsApp’s ‘view-once’ media feature on iOS allowed recipients to bypass the intended ephemerality and view the media indefinitely by accessing it through the app’s storage management settings.
  • The flaw, which was specific to iOS and not reproducible on Android, appears to have been fixed via a server-side update over the weekend.
  • Meta is yet to publicly acknowledge the patched vulnerability.

Meta’s WhatsApp is one of the safer messaging platform options currently available on the market. The platform offers end-to-end encryption, an option to set two-step verification, privacy settings for groups, view-once media, and more. The latter of the list, however, has previously proved to be a concern.

Back in September last year, security researcher Tal Be’ery found a way to view and save view-once media on WhatsApp web, even though the feature is only intended to work on the messaging platform’s Android and iOS apps. This was subsequently fixed in early December.

eyestetix-studio-WhatsApp-unsplash


Related


WhatsApp’s three latest features are all about your privacy

You can no longer take screenshots of view once messages

Late last week, we were able to document a new flaw that allowed the recipient of a view-once media file to view it indefinitely, even after it had been opened and closed within the chat. Although the flaw seems to have been fixed for now, the duration of its active exploitation is currently unknown. The vulnerability was only active on WhatsApp’s iOS app, and we weren’t able to replicate it on Android.

Later highlighted by user Ramshath in a Medium post, Meta has known about the issue internally, and up until the weekend, it was “working on a fix to address it,” which seems to have rolled out sometime on Saturday or Sunday.

Here’s how the exploit worked while it was active

  1. Receive a ‘view once’ photo or media. Once opened and closed within the chat, you can not view the media again.
  2. Head to Settings → Storage and data → Manage Storage.
  3. Scroll down and locate the contact that shared the disappearing media → Tap their name.
  4. Sort by: Newest.
  5. The supposed view once media is there in all its glory at the top of the list.

A GIF highlighting a contact screen within Storage and data → Manage Storage that hosues view-once media.

The GIF above highlights the Storage and data → Manage Storage → ‘User’ screen that houses all media received from a specific chat, which, up until last week, also included view-once media.

Staff at Android Police were able to replicate this internally on Thursday, January 23 — we’re unable to do so today, prompting us to believe that Meta rolled out a fix over the weekend. There isn’t a new build for WhatsApp, which means that this was a server-side fix. The tech giant is yet to publicly acknowledge the vulnerability.

A smartphone showing the status of RCS chats


Related


Do you care how secure your messaging is?

There’s been a lot of talk lately about RCS, security, and cross-platform messaging. People seem really interested in ensuring their texts are encrypted end-to-end. From a security standpoint, I get it; nobody wants unwanted eyeballs seeing their personal messages. But at the same time, just about everything we do online is tracked by many of the apps and services on our phones, and barely anyone seems all that worried about it. So, for me, I don’t stress if my messaging services aren’t totally encrypted, but then again, it’s not like I’m ever messaging anything important. But what about you? Do you care how secure your messaging is?