According to reports, WhatsApp has “rolled out a longer-term fix that resolved the issue”. According to the company, users should update to the most recent version of the encrypted messaging app, which fixes the security flaw. Additionally, users should limit view-once messages to individuals they know and can trust.
Tal Be’ery, the security researcher who discovered the problem with the view-once feature, wrote on X: “The fix indeed addresses the root cause properly, so we are happy we were able to make the world a little safer!”
Be’ery explained that by including a view-once flag in the unencrypted metadata, WhatsApp was able to address the privacy issue.
However, the solution adds more unencrypted metadata, which could put users’ privacy at additional risk. More unencrypted metadata is de facto exposed to the WhatsApp server as a result of the solution. According to Be’ery, this could lead to other privacy issues.
“The fix highlights the known, yet often overlooked, fact that E2EE protects messages’ content but not their metadata,” Be’ery wrote in a blog post. “WhatsApp traded-off user increased privacy against receiver unauthorised view-once content access, against reduced privacy for unauthorised view-once metadata access on WhatsApp server.”
Swiss
