A significant security flaw has been identified in the popular messaging app, WhatsApp, which has raised concerns about the privacy of its users. Researchers from Zengo recently uncovered a vulnerability that affects WhatsApp’s ‘View Once’ feature, allowing a potential attacker to access and retain sensitive media shared on the platform without the knowledge of the sender or recipient.

The ‘View Once’ feature was designed to enhance privacy by allowing users to share images, videos, and audio messages that would disappear after being viewed once. This feature was intended to prevent the recipient from downloading or taking screenshots of the media, ensuring that sensitive content remains private. However, the researchers discovered a loophole in the system that allowed them to bypass this privacy feature.

The flaw was attributed to how WhatsApp servers handled the ‘View Once’ media. By exploiting this vulnerability, the researchers were able to change the status of the message from ‘viewOnce: true’ to ‘false,’ thereby enabling them to access and download the media on any device without the need for further authentication. Furthermore, the researchers found that WhatsApp servers retained ‘View Once’ messages for up to two weeks, further compromising the privacy of users.

To demonstrate the exploit, the researchers created an unofficial WhatsApp client using the WhatsApp Web API client “Baileys” to download and save ‘View Once’ messages. Additionally, they were able to decrypt the encrypted message using OpenSSL, highlighting the potential for unauthorized access to sensitive content shared on WhatsApp.

Upon discovering the flaw, the researchers promptly notified Meta, the parent company of WhatsApp, about the vulnerability. However, due to the active exploitation of the flaw, the researchers decided to publicly disclose their findings. While Meta has acknowledged the issue, no official patch has been released to address the vulnerability in the ‘View Once’ feature. Nevertheless, Meta has assured users that they are working on a fix that will be included in future updates.

In response to the incident, Meta emphasized the importance of its bug bounty program, which allows external researchers to report security vulnerabilities. They have also advised users to exercise caution when sending ‘View Once’ messages and only share sensitive content with trusted individuals.

As the development of this story unfolds, it serves as a reminder of the ongoing challenges related to privacy and security in the digital age. With the growing reliance on messaging apps for communication, it is crucial for tech companies to prioritize the protection of user data and address security vulnerabilities promptly. The case of WhatsApp’s ‘View Once’ flaw underscores the importance of ongoing vigilance and the need for robust cybersecurity measures to safeguard user privacy in an increasingly interconnected world.

Lidhja e burimit