A WhatsApp security vulnerability has been discovered in a new feature introduced earlier this month …
WhatsApp added the ability to lock the app so that it requires Face ID or Touch ID to access chats. The idea was to protect sensitive content on occasions when your phone is unlocked, for example while passing it around a group to show a photo or meme.
That struck me as a useful idea, and one I’d like to see offered in other apps – including some Apple ones.
Adding that additional protection option to a chat app seems sensible. Given the popularity of posting a fake Facebook status as a prank, offering the same option for things like social networks might also be handy.
There are quite a few stock Apple apps that could benefit too. Messages, Mail, Calendar, Notes and Health, for example.
But one Reddit user found a problem with the protection: you can use the iOS Share Sheet to open the app. All is good if you’ve set it to require biometric login immediately, but if you’ve selected any other time interval, the share sheet access resets the timer – and someone can then open WhatsApp without verification.
Get to the iOS Share Sheet through any method (eg. in the Photos app).
Click on the WhatsApp icon in the iOS Share Sheet.
While transitioning to the next screen, you observe that no FaceID or TouchID verification takes place if an option other than “Immediately” was set previously. Now just exit out to the iOS Home Screen. (If in some cases, it asks for FaceID or TouchID verification, just cancel it and try clicking on WhatsApp icon in the iOS Share Sheet again).
Try to open WhatsApp and voila, it simply lets you inside WhatsApp without FaceID or TouchID verification.
Reuters reports that Facebook – which owns the app – has acknowledged the WhatsApp security vulnerability, and promised a rapid fix.
“We are aware of the issue and a fix will be available shortly. In the meantime, we recommend that people set the screen lock option to ‘immediately,’” a WhatsApp spokesperson said by email.
Three-quarters of 9to5Mac readers would like the ability to lock other sensitive apps.
FTC: We use income earning auto affiliate links. More.