Skip to main content
HashnodeBypassecBypassec

Command Palette

Search for a command to run...

Do you really trust WhatsApp View Once?

Updated
3 min read
Do you really trust WhatsApp View Once?
B
Bypassec

WhatsApp's view once functionality was created to protect sensitive content, allowing the recipient to open a photo or video only once before the file is deleted. The proposal is simple: to offer an additional layer of privacy in conversations involving images that should not be stored on the device.

In practice, however, the functionality presents limitations that can compromise this security promise in certain scenarios. Although it is expected that there will always be external ways to capture an image, such as photographing the screen with another phone, we identified that recent versions of iOS and macOS implemented new functionalities which go unnoticed by WhatsApp, opening space for situations where it is not possible to identify certain screen captures and mirroring.

The expected behavior on Android

On Android, WhatsApp adopts a very rigid strategy: when it detects that an external application is trying to record or mirror the screen, the application replaces the sensitive content with a black screen. This prevents both the recording and indirect viewing of the media in real time. The result is consistent protection against capture attempts.

The scenario on iOS with macOS Sequoia 15+

On iOS, screen recording blocking continues to work as expected. The problem arises, however, when using the iPhone Mirroring feature on macOS Sequoia 15. In this case, WhatsApp does not prevent the display of the image marked as View Once.

This means that, although recording is correctly blocked, it is still possible to take screenshots directly on the Mac while the image is displayed. This technical detail transforms a feature that should be transitory into something potentially persistent, contradicting the security objective of the functionality.

To reproduce this behavior, just follow a few simple steps:

  1. On a MacBook with macOS Sequoia 15 or later, start the iPhone Mirroring application.

  1. On WhatsApp, send an image configured as "View Once".

  2. Open the image on the iPhone mirrored on the MacBook.

In this way, it is possible to observe that the view once image, in this example a QR code, is displayed without any restriction on the macOS screen. This screen can later be used to take a screenshot or even be connected to a broadcast display and accidentally leak sensitive content.

Practical implications

This technical detail should not be confused with a critical security flaw but rather understood as a limitation of the View Once protection model. The problem was recognized by Meta itself, the owner of WhatsApp, which does not intend to fix it in the short term because it considers it an acceptable risk within the purpose of the feature.

The most worrying implication is not just the possibility of extracting the image but the risk of accidental exposure. In contexts of screen sharing in meetings, broadcasts or presentations, content that should be ephemeral could end up being involuntarily displayed to third parties.

Conclusion

View Once remains a useful layer of privacy but it should not be seen as an insurmountable barrier. The case observed on iOS with macOS Sequoia shows how different combinations of platforms can create unexpected exceptions to the designed behavior.

For users, the lesson is clear. Content sent via WhatsApp, even with additional security features, should not be treated as fully protected against copying or exposure. Technology can reduce risks but it does not eliminate the possibility that supposedly ephemeral messages will be preserved.

#security#cybersecurity-1#pentesting

More from this blog

B

Bypassec

6 posts

Stay updated and learn about hacking and cybersecurity with Bypassec, the number 1 platform for Hacking Competitions 🎯