Users beware: This ongoing WhatsApp glitch means photos you send are less private than you think

WhatsApp is one of the most trusted sites used by Gen Z. According to the company, more than half of Americans between the ages 18 and 35 have the app on their devices. It has also become a way for users to communicate abroad, as well as a more social environment than other messaging platforms as the app has rolled out community chats.

One notable reason why many users have flocked to the site is because it seems to prioritize security for users. However, this week, privacy concerns are being raised about a reported bug that affects WhatsApp’s “view once” feature.

“View once” is exactly what it sounds like. When a user sends a photo or video in the mode, the receiving viewer only gets to glimpse it one time before it disappears. The feature has been a part of the site since August 2021, and was enabled for voice messages later that year, too.

The Zengo X Research Team exposed the glitch this week in a blog post. “The Zengo X Research Team has discovered that WhatsApp’s ‘view once’ media feature, intended for increased privacy, is completely broken and can be trivially bypassed,” researcher Tal Be’ery wrote. The blog noted that the team notified Meta of the bug, but felt it was important to explain it to users, as it was already “exploited in the wild.”

The blog post lays out the issue in layman’s terms, as well as technical ones. But essentially, the researchers’ findings showed that “view once” is not terribly difficult to skirt. A number of Reddit threads explain just how to do so by using certain browser extensions aimed to disable the viewing mode, among other seemingly simple methods.

“When we looked into the implementation details we were very surprised to find that although ‘view once’ is meant to be limited to platforms in which the app can control its displayed content and prevent other processes from abusing it, it is not enforced by WhatsApp’s API server. As a result, a client on any platform can download the message and make the ‘view once’ promise void.”

WhatsApp does note that “view once” isn’t totally fool-proof. “Remember that there are other ways your ‘view once’ media or voice message can be saved,” the site explains. “For example, recipients can take a photo or video of your ‘view once’ media with a camera or other device before it disappears.”

Privacy and security have certainly been selling points of the app. Its privacy features have included end-to-end encryption, security codes, a “chat lock” feature, “view once,” automatic spam detection, and more.

The site, which recently rolled out a new design, hasn’t addressed a plan to fix the security issue, but told TechCrunch that more updates are coming. “We are already in the process of rolling out updates to ‘view once’ on web. We continue to encourage users to only send ‘view once’ messages to people they know and trust,” WhatsApp spokesperson Zade Alsawah said in a statement.

Fast Company reached out to WhatsApp in an email but did not hear back by time of publishing.