WhatsApp for iOS: Bug could bring back "view only once" media

There was apparently a bug in Meta's WhatsApp client for iOS for a long period of time, which allowed media content intended by the sender to be viewed only once to be retained "forever". This was reported by the security researcher with the nickname Ramshath in a Medium post. The so-called "View Once" feature was vulnerable. It is supposed to ensure that appropriately marked photos and videos disappear from the app as soon as they have been viewed – a bit like Snapchat. However, the app did not do what users expected: there was a trick to retrieve the media that was actually volatile, but it was not actually deleted.

Actually gone, but then back again

The bug, which has since been fixed after Meta was contacted, could be exploited via the settings. If you sorted by the latest content in the storage management area, view-once content suddenly reappeared. "Instead of disappearing like a responsible guest, the image was stuck in the 'Manage Storage' section of WhatsApp, defying the idea of 'View Once'. After making this discovery, I reported the issue through Meta's bug bounty program," says Ramshath.

However, the security researcher did not receive his bug bounty reward. The reason: according to Meta, they were "already aware of the problem internally" and were already working on fixing the bug. "Since we are already in the process of mitigating this issue, we cannot qualify this report for a reward under our bug bounty program." Meta did not say how bug bounty participants would know this. According to Ramshath, he was disappointed but pleased that the issue is being addressed.

Not the first time: Similar bug in WhatsApp Web

It is unclear how content that might have been supposed to be deleted simply remained in the regular storage area of WhatsApp for iOS. Meta has not yet commented publicly. This is not the first time the issue has occurred. A bug first appeared in the web version of WhatsApp in December, which also prevented the "real" deletion of view-once images.

The bug has now been fixed in the latest version 25.2.3 of the WhatsApp iPhone app. What happens if attackers stick with an earlier version of the app, i.e. whether Meta can also do something on the server side, remained unclear at first. The Android version of WhatsApp is not said to have been affected.

Empfohlener redaktioneller Inhalt

Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.

Preisvergleiche immer laden Preisvergleich jetzt laden

Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.

(bsc)