WhatsApp security vulnerability found in its new Face ID/Touch ID lock feature

WhatsApp security vulnerability has been discovered in a new feature introduced earlier this month …

WhatsApp added the ability to lock the app so that it requires Face ID or Touch ID to access chats. The idea was to protect sensitive content on occasions when your phone is unlocked, for example while passing it around a group to show a photo or meme.

That struck me as a useful idea, and one I’d like to see offered in other apps – including some Apple ones.

Adding that additional protection option to a chat app seems sensible. Given the popularity of posting a fake Facebook status as a prank, offering the same option for things like social networks might also be handy.

There are quite a few stock Apple apps that could benefit too. Messages, Mail, Calendar, Notes and Health, for example.

But one Reddit user found a problem with the protection: you can use the iOS Share Sheet to open the app. All is good if you’ve set it to require biometric login immediately, but if you’ve selected any other time interval, the share sheet access resets the timer – and someone can then open WhatsApp without verification.

  1. Get to the iOS Share Sheet through any method (eg. in the Photos app).

  2. Click on the WhatsApp icon in the iOS Share Sheet.

  3. While transitioning to the next screen, you observe that no FaceID or TouchID verification takes place if an option other than “Immediately” was set previously. Now just exit out to the iOS Home Screen. (If in some cases, it asks for FaceID or TouchID verification, just cancel it and try clicking on WhatsApp icon in the iOS Share Sheet again).

  4. Try to open WhatsApp and voila, it simply lets you inside WhatsApp without FaceID or TouchID verification.

Reuters reports that Facebook – which owns the app – has acknowledged the WhatsApp security vulnerability, and promised a rapid fix.

“We are aware of the issue and a fix will be available shortly. In the meantime, we recommend that people set the screen lock option to ‘immediately,’” a WhatsApp spokesperson said by email.

Three-quarters of 9to5Mac readers would like the ability to lock other sensitive apps.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Photo: Shutterstock

Check out 9to5Mac on YouTube for more Apple news:



Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear