Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

WhatsApp finally fixes View Once flaw that allowed theft of supposedly vanishing pics

And it only took four months, tut

Iain Thomson Tue 10 Dec 2024  //  07:30 UTC

WhatsApp has fixed a problem with its View Once feature, designed to protect people's privacy with automatically disappearing pictures and videos.

View Once was introduced in 2021, enabling media to delete itself after being opened. However, that privacy mechanism was flawed and could be "trivially bypassed" when using the web app and a rogue browser extension, according to the researchers who discovered this weakness in August and responsibly disclosed the issue to WhatsApp.

WhatsApp put out a quick fix – but it was less than perfect and would still allow images to be viewed even after they were supposed to have vanished. Now, the biz claims the issue has been resolved with a software update.

"We're constantly building in layers of privacy protection, and that includes rolling out key updates to View Once on web," a WhatsApp spokesperson told The Register. "As always, we continue to encourage users to only send view once messages to people they know and trust, and make sure they're on the latest version of the app."

The initial issue, discovered by folks at crypto wallet startup Zengo, allowed "View Once" messages to be accessed by web clients that didn't adhere to the app's disappearing messages protocol. Several developers wrote browser extensions that would ignore the View Once command and keep a copy of the media the messages contained.

Though Zengo co-founder Tal Be'ery nit-picked the latest fix, which prevents browser extensions from getting media sent in vanishing messages, he acknowledged the update is a "great improvement with respect to the original starting point. We are happy that our discoveries and publications pushed WhatsApp into fixing View Once in a thorough manner to protect this feature's users' privacy." ®
Send us news
22 Comments

Firefox ditches Do Not Track because nobody was listening anyway

Few websites actually respect the option, says Mozilla

BlackBerry offloads Cylance's endpoint security products to Arctic Wolf

Fresh attempt to mix the perfect cocktail of IoT and Infosec

Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility

But can you really take crims at their word?

US reportedly mulls TP-Link router ban over national security risk

It could end up like Huawei -Trump's gonna get ya, get ya, get ya

Fining Big Tech isn't working. Make them give away illegally trained LLMs as public domain

It's all made from our data, anyway, so it should be ours to use as we want

Microsoft won't let customers opt out of passkey push

Enrollment invitations will continue until security improves

Blocking Chinese spies from intercepting calls? There ought to be a law

Sen. Wyden blasts FCC's 'failure' amid Salt Typhoon hacks

Australia moves to drop some cryptography by 2030 – before quantum carves it up

The likes of SHA-256, RSA, ECDSA and ECDH won't be welcome in just five years

How Androxgh0st rose from Mozi's ashes to become 'most prevalent malware'

Botnet's operators 'driven by similar interests as that of the Chinese state'

Critical security hole in Apache Struts under exploit

You applied the patch that could stop possible RCE attacks last week, right?

Google Timeline location purge causes collateral damage

Privacy measure leaves some mourning lost memories

One third of adults can't delete device data

Easier to let those old phones gather dust in a drawer, survey finds