Once and Forever: WhatsApp’s View Once Functionality is Broken

TL;DR: Meta’s WhatsApp, the world’s most popular Instant Messaging app with 3B users, suggests using the “View once” feature as a privacy feature. Allegedly, using “View Once” users can share their media in a manner that the receiver will not be able to store or forward. However, we found that this feature was implemented by Meta in a neglectful manner, thus allowing a malicious user to easily save and distribute an exact digital copy of a “View once” message. We had responsibly disclosed our findings to Meta, but when we realized the issue is already exploited in the wild, we decided to make it public to protect the privacy of WhatsApp’s users.

Users can easily abuse “View once” media and freely view and redistribute it

Whatsapp View Once intro

According to WhatsApp official docs:

You can send photos, videos, and voice messages that disappear from a chat after the recipient has opened them once. This is known as send as view once.

View once photos and videos won’t be saved to the recipient’s Photos or Gallery. They won’t be able to forward, share, or copy them. Recipients also won’t be able to take a screenshot or screen recording of your view once media. It’s still possible for someone to take a photo or video of the media, for example with a camera or another device, before it disappears.”

The “View once” feature is marketed by WhatsApp as a privacy feature and WhatsApp invested some engineering efforts in order to enhance its privacy so it would not be trivially bypassed with screenshots.

“View once” explained within the WhatsApp application (Screenshot taken on August 2024)

Therefore, the “View once” feature is only enabled by WhatsApp on platforms in which the app can use the operating system to control features that allow content copy such as copying or taking screenshots to prevent trivial bypassing of the policy. This limits the “View once” functionality mostly to mobile platforms, while on most desktop and web platforms users get a message that this type of message is not supported

WhatsApp Web app: View once is not supported

WhatsApp Mac desktop app: view once is not supported

View Once Technical details

WhatsApp’s White paper describes the process of sending media messages

Transmitting Media and Other Attachments Large attachments of any type (video, audio, images, or files) are also end-to-end encrypted:

1. The WhatsApp user’s device sending a message (“sender”) generates an ephemeral 32 byte AES256 key, and an ephemeral 32 byte HMAC-SHA256 key.

2. The sender encrypts the attachment with the AES256 key in CBC mode with a random IV, then appends a MAC of the ciphertext using HMAC-SHA256.

3. The sender uploads the encrypted attachment to a blob store.

4. The sender transmits a normal encrypted message to the recipient that contains the encryption key, the HMAC key, a SHA256 hash of the encrypted blob, and a pointer to the blob in the blob store.

5. All receiving devices decrypt the message, retrieve the encrypted blob from the blob store, verify the SHA256 hash of it, verify the MAC, and decrypt the plaintext.

Our experiments show that View once media messages follow this protocol and send media messages to all of the receiver devices (see our previous articles on WhatsApp multi device support) that are almost identical to a normal media message, which includes a URL to the encrypted data hosted on WhatsApp’s web server (“blob store”) and the key to decrypt it.

Additionally, the message sets the “View once” flag to “true”

The View Once message as a JSON object: See URL, mediaKey, viewOnce fields (and jpegTumbnail)

Issues with WhatsApp implementation

Although “View once” is meant to be limited to platforms in which the app can control its displayed content and prevent other processes from abusing it, it is not enforced by WhatsApp’s API server. As a result, a client on any platform can download the message and make the “View once” promise void.

Specifically:

• The View Once messages are sent to all of the receiver’s devices, including the ones that are not allowed to display it, such as Web applications that can be easily (no jailbreak and binary patching are required) modified, e.g. via browser extension.
• The View once media messages are technically the same as regular media messages, only with the “view once” flag set. Which means it’s the virtual equivalent of putting a note on the picture that says “don’t look”. All that is required for attackers to circumvent it, is merely to set this flag to false and the media become regular and can be downloaded, forwarded and shared.
• Given its media URL, the View once media can be downloaded by any client, no authentication is needed (reader still needs the decryption key sent with the message). Again making the task of limiting the exposure of the media to controlled environments and platforms impossible
• Some versions of the View once messages contain a low-quality preview of the media that can be used to view the picture even without downloading it.
• View once media are not immediately deleted from WhatsApp server after being downloaded and stay accessible for 2 weeks’ time. One would expect the server to immediately delete the view once media, once it had been downloaded.

There are more issues with the implementation, but since it is so broken as is, there is no point in specifying them all.

Bypassing the View once limitation

To prove our insight that View once can be easily bypassed, we built our own unofficial WhatsApp client app based on Baileys, an open source implementation of WhatsApp Web API client. This client can be linked to an existing WhatsApp account in the same manner that users can link a WhatsApp web client to their existing WhatsApp mobile app.

Our unofficial client’s code

Using our own unofficial client we were able to download and save and gain full control over the sent “View once” media.

Another option is to extract the URL, download the encrypted media with any web client (e.g. browser) and then decrypt using OpenSSL and the mediaKey as shown in the Video below:

Manual decryption of WhatsApp View Once media

We had responsibly disclosed our findings to Meta on August 26th 2024, with no actual response received yet.

Our multiple reports to Meta’s security program

Later on, we found out that others had found this issue and exploited it in a more elegant way by leveraging the existing client code and just switching the message flag of “view once” to false.

Toggling the view once flag (source: github)

Their solution is delivered either as a modified WhatsApp Android app or via web extension to modify WhatsApp web. We had experimented with the extension and it works as published.

The malicious extension in action

Some of these projects exist for more than a year according to GitHub’s time-tags and seem to be discussed in relevant forums.

A reddit thread earlier this year discussing “only once” pics viewing with extension

As the issue is already known to attackers and actively exploited in the wild, we decided to make it public to protect the privacy of WhatsApp’s users.

Why it matters

One could argue that “view once” is not a secure system by design, as anyone can take another camera and record a video / audio / picture of the “view once” media from the original device.

While this argument is not completely wrong, it’s like comparing “double cassette” copying to MP3 distribution. If you can digitally copy something, it makes distribution dramatically easier and opens new “markets”:

• Quality: previously attackers could only have an “analog” copy (loss of quality etc.) while our new findings provide an exact digital replica.
• Scalability: previously copying cannot be done “at scale” due to the required manual work, while with our new findings it is zero touch, just software that does everything automatically.
• Timeliness: previously attackers had to wait for the whole video / audio to play to record it while with our new findings copying is instant.
• Attribution: if attackers “photo copy” the view once content, it provides clues on how the media was captured by attackers and makes attribution easier (“someone just photo-copied it from view once on whatsapp”) while in the case of digital copy the copy is identical to the original so no attribution opportunity there.
• Non-repudiation: Previously users could repudiate and say they did not send this message. Now that the view once media remains in plain sight the original chat, the original senders cannot longer do so.

In summary: there might be analog ways to re-record this media, but we suggest a digital approach which makes the difference. It’s like comparing “double cassette” copying to MP3 distribution

Possible solutions

To actually solve this issue, WhatsApp needs to apply a proper Digital Rights Management (DRM) solution that also verifies there is hardware support in place for such DRM. Such frameworks are provided by Android and iOS and other modern Operating Systems.

A less robust but easier solution would be to have the sender send the “view once” message only to the primary device ( mobile ) and not to companion linked devices ( web, desktop). Please note it will only defeat extensions and is not relevant against patched mobile clients.

Updated 16.9.2024: Assessment of the initial incomplete fix that was released by WhatsApp

WhatsApp View Once Privacy Issue Initial Fix Assessment: The Good, the Bad and The Ugly

Summing up

Privacy is critical for Instant Messaging. WhatsApp acknowledged that by supporting End-to-End Encryption (E2EE) for its users’ conversations by default. However, the only thing that is worse than no privacy, is a false sense of privacy in which users are led to believe some forms of communication are private when in fact they are not. Currently, WhatsApp’s View once is a blunt form of false privacy and should either be thoroughly fixed or abandoned.