Earlier this month, WhatsApp introduced an important security feature for its users. With the integration of Face ID and Touch ID, users could now secure their chats from prying eyes. But turns out this security feature has quite a glaring hole.
Reddit user, u/de_X_ter, has detailed steps that can potentially let anyone access a user’s chats even if they have been secured using Face ID or Touch ID. The vulnerability seems to be on the iOS sharing sheet, which lets you share something on your phone via WhatsApp.
To bypass the security feature, you will first need to share something via the iOS sharing sheet, and then tap on the WhatsApp icon. The user writes, “While transitioning to the next screen, you observe that no Face ID or Touch ID verification takes place. Now just exit out to the iOS Home Screen. (If in some cases, it asks for Face ID or Touch ID verification, just cancel it and try clicking on WhatsApp icon in the iOS Share Sheet again).”
The post, shared on Twitter by WABetaInfo, does note that these steps only work in certain conditions. The most important being the time before which Face ID or Touch ID is again required to access WhatsApp. The app gives you a few options including ‘Immediately’, ‘After 1 minute’, ‘After 15 minutes’, and ‘After 1 hour’.
Watch: Apple iOS 12 features
These steps work if the user has selected an option other than ‘Immediately’. You can re-check what option you’ve selected by heading over to WhatsApp Settings -> Account -> Privacy -> Screen Lock. This vulnerability seems restricted to the iOS app for now. It remains to be seen if this will affect Android users as well. We have reached out to WhatsApp for a response on this vulnerability, and will update this story as and when we hear from them.