WhatsApp View Once: Four Exploits and a Funeral

With 3 billion active users spanning every geography, age group, and technical sophistication level, WhatsApp carries more private human communication than any platform in history. View Once is its promise to journalists, activists, abuse survivors, and ordinary users that sensitive media will be seen once and disappear forever. We broke that promise. Four times. Over two years of research and responsible disclosure, we dismantled View Once through four successive exploits, each one forcing a deeper dive into WhatsApp’s internal architecture: E2EE encryption with the Signal Protocol’s Double Ratchet algorithm, multi-device support with the Sesame Algorithm, and WhatsApp’s inter-device Sync protocol. We detail these exploits technically and walk through the disclosure process and its outcomes. The first three were properly fixed. WhatsApp surprisingly gave up on fixing the fourth. The talk is deeply technical, but the deepest finding is not. This inconsistency stems from a single methodological flaw: no defined security model for View Once. Without a target, every failure becomes a “best effort” shrug. We call this Cheshire Cat Security. When you don’t know where you’re going, any road gets you there. We close by proposing a relevant security model for View Once, articulating what we believe it should defend against, what should be explicitly scoped out, and how existing DRM technology already provides the foundation to build it right.