WhatsApp, the world's leading end-to-end encrypted messaging app with over two billion users, enables users to share photos and videos that disappear after being viewed. However, a flaw in the way WhatsApp's browser-based web app handles its "View Once" feature allows malicious recipients to save media that should vanish after viewing.
This feature, introduced in 2021, is intended for use only on WhatsApp's mobile apps for Android and iOS. Typically, when a user receives a "View Once" media on the desktop or web app, a warning indicates that the media can only be opened on a mobile device.
To enhance privacy, WhatsApp prevents screenshots and screen recordings of "View Once" media on its mobile apps. However, Tal Be'ery, a security researcher who has been studying WhatsApp privacy issues, recently discovered a bug that bypasses these protections.
Last week, Be'ery demonstrated the bug, showing how he could capture and save a "View Once" image while using WhatsApp's web app.
Be'ery, who is the CTO and co-founder of crypto wallet Zengo, emphasized the dangers of a false sense of privacy, stating that WhatsApp's "View Once" feature is currently flawed and should be either fixed or discontinued.
He reported the bug to Meta, WhatsApp's parent company, on August 26 through their bug bounty program.
WhatsApp spokesperson Zade Alsawah acknowledged the issue, stating that updates to the web version of "View Once" are in progress, but no timeline for completion was provided.