A researcher has uncovered a new method to bypass WhatsApp’s View Once feature, marking the fourth such bypass disclosed by Tal Be’ery, who is a co-founder and CTO of Zengo. Be’ery says previous bypasses were patched by WhatsApp, and he received a bug bounty for one of them, with SecurityWeek publishing details of the latest approach after demonstrating it and sharing a video of the exploit.
The bypass relies on a modified WhatsApp client, and Be’ery notes that attackers could also leverage a browser extension and WhatsApp Web for mass exploitation. Meta has been informed but states it will not patch this vulnerability because the issue falls outside its security model and bug bounty scope, arguing that preventing capture on a completely rivaled device or modified client is not feasible within its policy.
Be’ery advocates a digital rights management system to curb such abuse, while Meta argues that DRM would still be vulnerable and that View Once is intended as an extra privacy layer, not a forensic-grade data deletion tool. According to SecurityWeek, the company emphasised that client spoofing and unofficial clients lie outside the bug bounty program.