iPhone
Earlier in the month, WhatsApp had rolled out a biometric authentication feature for iOS users of the messenger app. However, it is now being reported that the implementation of biometric authentication using Face ID or Touch ID has a bug that grants access to anyone without verification. The privacy screen lock bypass bug was first reported on Reddit. WhatsApp has acknowledged the problem and will soon be coming out with an update to fix the same.
According to the Reddit post, the bug occurs if the user selects any option other than "Immediately" inside WhatsApp Settings -> Account -> Privacy -> Screen Lock. The other options include 'After 1 minute', 'After 15 minutes', and 'After 1 hour'. The bug could allow any user to bypass the iPhone's Face ID or Touch ID authentication by using iPhones share feature used to send files over WhatsApp.
If the user has set verification requirement as 'immediately' then they would have to provide Touch ID or Face ID input each time they open WhatsApp. The authentication system fails when the user selects a particular interval option other than 'immediately'.
Confirming the bug, a WhatsApp spokesperson said, "We are aware of the issue and a fix will be available shortly. In the meantime, we recommend that people set the screen lock option to 'immediately."
WhatsApp had expected the messenger to become more secure that they previously were with the addition of Face ID and Touch ID support. However, issues with security have refused to die down for the Facebook-owned messenger.
Last month a user discovered a privacy flaw with Apple's Face Time group video chat software, which allowed iPhone users to see and hear others before they accept a video call. Apple rolled out an iOS update to fix the issue.
Also, if one jumps to the home screen from the iOS Share screen, they can open WhatsApp without any interference from Touch ID or Face ID. It doesn't matter if you are way past the 1-minute, 15-minute, or 1-hour mark, which is set in WhatsApp Screen Lock. This is a weird bug but it completely bypasses screen lock in WhatsApp, rendering the whole biometric authentication useless. It is unclear if it is an issue with Whatsapp implementation or an inherent bug in iOS.
The bug on two iPhone units, one with Touch ID and the other with Face ID.
"We are aware of the issue and a fix will be available shortly. In the meantime, we recommend that people set the screen lock option to immediately," a WhatsApp spokesperson told Gadgets 360.
As WhatsApp notes, if you like to use biometric authentication on WhatsApp on iPhone, it is ideal to set the screen lock kick-in time too immediately. Any other option will leave your WhatsApp vulnerable to the bug. WhatsApp for Android doesn't include a similar feature right now.