WhatsApp fixes Face ID and Touch ID authentication bypass

WhatsApp recently implemented Face ID and Touch ID authentication for Apple iOS app, but unfortunately, it can be easily bypassed.

Earlier February, WhatsApp introduced Face ID and Touch ID authentication for its iOS app to allow users to lock the application using the Face ID facial recognition and Touch ID fingerprint systems.

The security feature can be enabled from Settings -> Account -> Privacy -> Screen Lock menu item. Users can choose the authentication method (Face ID or Touch ID) and set up the interval of time used by the device to lock itself (immediately, after 1 minute, after 15 minutes, or after 1 hour).

A Reddit user discovered that the authentication method chosen by the owner could be bypassed if the duration is not set to “immediately” and the owner is using the Share Sheet in iOS. The Share Sheet allows sharing items or contents through various media like Facebook, Twitter.

Below the step by step procedure to bypass the authentication.

“The latest FaceID and TouchID integration with WhatsApp has a privacy screen lock bypass bug for the WhatsApp application” wrote the Reddit user.

Get to the iOS Share Sheet through any method, for example through the Photos app.
Click on the WhatsApp icon in the iOS Share Sheet.
While transitioning to the next screen, you observe that no FaceID or TouchID verification takes place if an option other than “Immediately” was set previously. Now just exit out to the iOS Home Screen. (If in some cases, it asks for FaceID or TouchID verification, just cancel it and try clicking on WhatsApp icon in the iOS Share Sheet again).
Try to open WhatsApp and voila, it simply lets you inside WhatsApp without FaceID or TouchID verification.

The good news is that WhatsApp already addressed the bug with the release of the latest version of the iOS app.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – iOS Face ID, authentication bypass flaw)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.