Source URL: https://www.theregister.com/2024/09/18/whatsapp_view_once_flaw_unfixed/
Source: The Register
Title: WhatsApp fix to make View Once chats actually disappear is beaten in less than a week
Feedly Summary: View Forever, more like it, as Meta’s privacy feature again revealed to be futile with a little light hacking
A fix deployed by Meta to stop people repeatedly viewing WhatsApp’s so-called View Once messages – photos, videos, and voice messages that disappear from chats after a recipient sees them – has been defeated in less than a week by white-hat hackers.…
AI Summary and Description: Yes
Summary: Meta’s recent fix to WhatsApp’s View Once feature, which is designed to make messages self-destruct after viewing, has been circumvented by security researchers from Zengo. Despite improvements, vulnerabilities remain, highlighting ongoing challenges in privacy and security for messaging platforms and the need for robust digital rights management.
Detailed Description: The issue with WhatsApp’s View Once feature centers around its reliance on digital rights management (DRM) across various operating systems, which hasn’t proved to be adequate against exploitation. Recent developments reveal several key points about this security breach:
* The View Once feature was launched by Meta in August 2021 as an optional privacy enhancement.
* Security researchers at Zengo publicly disclosed methods to bypass the View Once protections after attempting to report the security flaw through WhatsApp’s bug bounty program, highlighting a lack of responsiveness from Meta.
* The fundamental flaw lies in the fact that View Once messages still contain all the necessary data for access, making it possible for exploiters to revert the View Once flag to a state that allows access to the self-destructed material.
* Meta implemented a code adjustment following the disclosure, which briefly seemed effective; however, Zengo later determined that the loopholes had not been adequately addressed.
* The ongoing nature of the vulnerability was confirmed by other developers who successfully discovered additional methods to exploit the View Once feature and planned to release these exploits publicly.
* Zengo’s cofounder criticized Meta for inadequate communication and spotlighted that the fundamental issues would persist until comprehensive changes to the application’s handling of such messages are made.
Implications for Security and Compliance Professionals:
– **Continued Vulnerabilities**: The situation underscores the need for continuous improvement and vigilance regarding privacy features in digital platforms.
– **Bug Bounty Programs**: Meta’s response (or lack thereof) to Zengo’s findings raises concerns about the effectiveness and responsiveness of bug bounty programs in addressing security issues promptly.
– **Long-term Solutions Needed**: The ongoing issues with the WhatsApp View Once feature indicate a need for more robust digital rights management solutions that provide real privacy and security assurances, rather than temporary patches.
– **User Awareness**: The situation stresses the importance of educating users on the limitations of privacy features and the potential for data exposure even in applications that promise enhanced security.
Overall, this incident serves as a reminder for professionals in security, compliance, and technology oversight to prioritize proactive measures in safeguarding sensitive information and to engage with responsible disclosure practices effectively.