last week security flaw finders at cryptowallet startup Zengo went public with ways to revive seemingly self-destructed View Once material.
https://zengo.com/whatsapps-view-once-privacy-issue/
Essentially, the API servers treated View Once messages as normal messages but with a flag on them saying: Please only show this once. A rogue app able to talk to those servers could just ignore that request.
Zengo used Meta's bug bounty program in August to report the security weakness to WhatsApp....
"The core issue of the View Once media message containing all the information required to view it, in an environment that should not be able to show it, still remains unsolved."
The video below shows this is not a terrifyingly complex feat to achieve.
All that's needed to neutralize and negate this type of "security" is a screen cap.
@ecksmc lol.
Fkrs
and heard nothing back - As a result of the disclosure, WhatsApp tweaked its code a few days later to make it harder to get around the View Once requirements, and at first it appeared to have worked
"While generally the fix was a good initial step in the right direction by Meta’s WhatsApp, it is still not enough," Zengo cofounder Tal Be'ery wrote in an explainer on Monday.
https://medium.com/@TalBeerySec/whatsapp-view-once-privacy-issue-initial-fix-assessment-the-good-the-bad-and-the-ugly-be97ec1cc2e5