WhatsApp View Once Privacy Issue Initial Fix Assessment: The Good, the Bad and The Ugly
TL;DR: Following our recent discovery and disclosure of Meta’s WhatsApp View Once media privacy issue, WhatsApp have silently updated its Web app. While this fix breaks many of the existing exploiting browser extensions, the core issue still remains unsolved.
Recently we had discovered that WhatsApp View Once media feature, promoted by WhatsApp as a privacy feature to limit the users’ sent media exposure, can be trivially bypassed by using a browser extension that slightly modifies WhatsApp web app.
We had responsibly disclosed our findings to WhatsApp through Meta’s Bug Bounty program, but when we learned that the issue is actively exploited by publicly available browser extensions with 10K users, we decided to publicly publish our findings to protect the privacy of WhatsApp’s users.
The Fix
The original issue is that the View Once media messages are identical to ordinary media messages, with the addition of a single field that tells the client this media should be viewed once. Once received, these messages are stored in the app’s database, just like ordinary media messages.
As a result, exploiting extensions could just change the View Once field to false in the database and make the official WhatsApp web app show them.
Circa 12.9.2024, WhatsApp released an update to their Web App, that changes the way View Once media messages are saved to the application’s databases and redact some of the information that enables the media viewing. As a result, the media becomes technically unviewable even if the View Once field was set to false.
The Good
There are quite a few good things in this fix:
- It shows that Meta’s WhatsApp agrees with our assessment, views this issue as important, and is actually investing resources to fix it.
- It shows we were right in our decision to go public with this information as it drove Meta into actually addressing it.
- It breaks many (all?) existing exploiting browser extensions, as shown by many of their customers (some of these extensions charge money) complaints on the Chrome Web Store.
- It prevents future exploitation of View Once media by attackers that obtain the WhatsApp app database.
The Bad
While generally the fix was a good initial step in the right direction by Meta’s WhatsApp, it is still not enough.
The core issue of the View Once media message containing all the information required to view it, in an environment that should not be able to show it, still remains unsolved.
To bypass the fix, exploiters just need to go “upstream” and toggle the View Once flag to false when it is received by the app and before it is stored in the database.
Implementing this “upstream” edit, allowed us to bypass this fix on an updated WhatsApp web app.
updated 17.9.24: As predicted, exploiting extensions are planning on bypassing this incomplete fix.
In order to really fix this issue, WhatsApp clients must not send the View Once media messages to platforms that are not allowed to show them. As we had shown on our past research, WhatsApp architecture already supports sending different versions of the same message’s content to different recipient devices.
We hope that WhatsApp would implement this robust fix soon.
The Ugly
Even after 3 weeks and multiple reports made through Meta’s official Bug Bounty program and although Meta had publicly acknowledged this is indeed an issue, there is still radio silence on Meta’s side and no communications were made with us.
We find this silent treatment to be highly disappointing and against the spirit of the vulnerability disclosure process in general, and Meta’s own Bug Bounty guidelines.
The good news: Meta can fix this as soon as they want :)
Summing up
While there is still a lot of work left in order to fix this issue, Meta’s WhatsApp initial mitigation gives us hope it will be addressed soon. We are happy that our research and disclosure were able to drive this change and make the world a little bit safer for WhatsApp’s 3 Billion users.
