The WhatsApp Revolution: PINs and Custom Names Are on the Way

[Friend]

The messenger is preparing large-scale updates to protect data.

WhatsApp continues to improve its app with new features that make communication more convenient and secure. In the latest beta update for Android (version 2.24.18.2), which became available through the Google Play Beta Program, the company announced the development of a unique username feature with PIN support.

A username will allow you to choose a unique nickname for your WhatsApp accounts. Using a nickname instead of a phone number will give users more control over their privacy and the ability to hide their number from new contacts.

Also in this build, there is an option to set a PIN code for the nickname. It will serve as an additional layer of protection - before starting a dialogue, unfamiliar users will have to enter this code. However, for contacts with whom you already have a conversation, you don't need to use a PIN.

The PIN code setup page will appear after the user chooses a nickname. The code must be at least 4 digits long and cannot be the same as the two-factor authentication code.

It is worth noting that the nickname and PIN code functions are still in development and are not available to beta testers. It is not known when they will appear in the official version of the messenger.

Presumably, WhatsApp is also working on an option to block messages from unknown contacts and on new stickers. But details about these features have not yet been disclosed.

Source

 

[Friend]

Once-view crash: Anyone can save your data on WhatsApp.
One of the main security features in the messenger turned out to be unreliable.

A serious vulnerability has been discovered in the popular WhatsApp messenger, which has an audience of more than 2 billion people around the world. It allows attackers to bypass the "View Once" feature and view messages repeatedly.

The feature appeared in WhatsApp three years ago. With it, users can share photos, videos, and voice messages, which are automatically deleted from the chat after the first opening. According to Meta*, the recipient cannot forward, share, copy, or take screenshots of such messages.

It is important to note that a one-time view blocks screenshots on mobile devices only. On the desktop and web versions of WhatsApp, blocking is not supported.

The Zengo X Research Team found that Meta did not foresee several important points during development. A loophole found by researchers allows attackers to easily save and share copies of material sent in a one-time view. Zengo CTO Tal Be'eri said that they notified Meta of their findings, but when it turned out that the vulnerability was already being exploited, they decided to make the information public to protect WhatsApp users.

It turns out that when a one-time view is activated, messages are sent to all of the recipient's devices in encrypted form. They are almost identical to regular messages, but contain the URL of the encrypted data on the WhatsApp web server and the key to decrypt it. In addition, such messages have a "View once" flag with a value of "true".

Be'eri explains that disposable messages are sent to all recipients' devices, including those that are not allowed to display them. Moreover, the data is not deleted from WhatsApp's servers immediately after uploading. This means that it is impossible to restrict access to media files only to controlled environments and platforms.

The problem is exacerbated by the fact that some versions of messages in one-time view mode contain low-quality media previews that are available without a full download. By changing the "View once" flag to "false", you can forward and share data that should be protected in the first place.

According to Be'eri, the function should either be radically reworked or completely canceled. Despite the fact that Zengo researchers were the first to officially report this issue to Meta and publish a report, it turned out that the vulnerability has been exploited for at least a year. During this time, the attackers even managed to create special browser extensions that simplify the process of bypassing protection.

According to BleepingComputer, tools to bypass the "View Once" feature have already appeared on the web. In particular, at least two extensions for the Google Chrome browser were found that allow you to disable the security flag and access disposable messages. One of these extensions was released back in 2023.

A WhatsApp spokesperson assured that the company is already working on updates to the web version of the application. In light of the identified issues, the company strongly recommends that users send one-time messages only to verified contacts they fully trust.