In September, TechCrunch reported that a flaw in WhatsApp’s implementation of the feature enabled users of its browser-based web app to bypass these protections. Normally, “View Once” prevents recipients from saving, sharing, forwarding, copying, screenshotting, or screen recording media. However, the bug allowed users to display and retain the media instead of it vanishing as intended.

On Friday, WhatsApp spokesperson Zade Alsawah confirmed to TechCrunch that the company has rolled out a long-term fix addressing the issue.

“We’re constantly building in layers of privacy protection, and that includes rolling out key updates to View Once on web,” Alsawah said in an email. “As always, we continue to encourage users to only send View Once messages to people they know and trust, and make sure they’re on the latest version of the app.”

The bug was flagged by security researcher Tal Be’ery, who has been investigating WhatsApp’s privacy issues this year. Be’ery alerted both WhatsApp and TechCrunch about the vulnerability. However, he wasn’t the only one to discover it. At the time, several browser extensions and social media posts promoted tools to bypass the feature, enabling users to install an extension and automatically save “View Once” media.

Following WhatsApp’s recent fix, users of those browser extensions, some of which required paid subscriptions, have complained that the tools no longer work. “Does not work AT ALL. Don’t waste your time,” wrote one disgruntled user.

TechCrunch conducted a test on Friday and confirmed that when receiving a “View Once” message on WhatsApp’s web app, the platform now displays a warning message similar to the one shown on its desktop app.

“We have conducted an in-depth verification and self-examination. We have identified several areas where there is room for improvement,” Martin Ma, director of Ecovacs’ security committee, told TechCrunch in an email. “In response, we have initiated targeted improvements and are addressing the issues highlighted.”

The vulnerabilities were first brought to light during a presentation by security researchers Dennis Giese and Braelynn Luedtke at the annual Def Con hacking conference in Las Vegas on August 10. The duo analyzed 11 Ecovacs devices and uncovered multiple security flaws, with one particularly concerning vulnerability standing out: it allows attackers to connect to an Ecovacs robot via Bluetooth from up to 450 feet (approximately 130 meters) away using a phone. Once connected, hackers could take control of the device and remotely monitor users through the robot’s internet-connected features.

Other flaws included a bug that could let someone regain access to a robot vacuum even after selling it and deleting their account, potentially enabling them to spy on the new owners.

Ecovacs’ Initial Response and Change of Heart

When the researchers initially disclosed their findings, Ecovacs responded by saying the vulnerabilities were unlikely to affect typical users and did not commit to fixing them. However, after their presentation at Def Con, the company took a closer look.

In an email to Giese dated August 16, shared with TechCrunch, Ma acknowledged that the talk had “captured [his] attention.” He admitted that Ecovacs had “inadvertently overlooked” the researchers’ initial emails from December 2023 and promised corrective action.

“We have carefully reviewed your points raised in the previous emails and the demos at Def Con 2024, and conducted an in-depth verification and self-examination,” Ma wrote. The company plans to address the issues in two specific models — the Goat G1 and the X1 — as well as in the Ecovacs app.

Ma also praised the researchers for their work, stating, “Your analysis has been greatly valued and appraised by our technical team. Your insights are invaluable in safeguarding the security and integrity of our products, and they contribute significantly to the consumer electronics industry as a whole.”