Facebook promises a prompt fix for WhatsApp’s Face/Touch ID vulnerability

WhatsApp recently brought an optional feature for locking your chats with Face ID or Touch ID, requiring a positive biometric scan to unlock the app, but it can be bypassed through iOS’s system-wide Share sheets. Facebook is aware of the problem and has promised a prompt fix.

Selecting any Face/Touch ID interval option other than Immediately resets the timer any time a user invoke’s WhatsApp via iOS’s multi-purpose Share sheet to send files over the service.

The security system fails when any interval option other than Immediately is selected.

This issue was discovered and reported Tuesday by Reddit user “u/de_X_ter”, who described the steps to reproduce the bug:

1) Get to the iOS Share sheet through any method.

2) Click on the WhatsApp icon in the Share sheet.

3) While transitioning to the next screen, you observe that no Face ID or Touch ID verification takes place if an option other than Immediately was set previously. Now just exit out to the Home Screen. If, in some cases, it asks for Face ID or Touch ID verification, just cancel it and try clicking on WhatsApp icon in the Share sheet again.

4) Open WhatsApp and you’ll be inside the app without Face ID or Touch ID verification.

iDownloadBlog has verified the bug. Again, this issue does not manifest itself if Immediately has been set inside WhatsApp’s Screen Lock settings.

TUTORIAL: How to lock WhatsApp chats with Face ID or Touch ID

A WhatsApp spokesperson confirmed the problem to Reuters:

We are aware of the issue and a fix will be available shortly. In the meantime, we recommend that people set the screen lock option to Immediately.

Until the promised fix arrives, double-check your interval setting: tap WhatsApps’s Settings tab, then tap Account → Privacy → Screen Lock and select Immediately from the list.

Set the timer option to Immediately and you’ll be on the safe side.

Have you been able to verify this bug yourself?

If so, let us know in the comments down below!