Earlier this month, WhatsApp expanded its capabilities on Apple’s iOS with some iPhone-specific feature integrations. The app now supports biometric authentication through Apple’s Face ID and Touch ID technologies. However, a bug has been found in the implementation that gives anyone access to WhatsApp on an iPhone.

Reports point to a flaw in the integration that means anyone can bypass the app lockscreen to open WhatsApp without using Touch ID or Face ID.

First observed by Redditor d_X_ter, the bug seems to work when the user has set authentication to trigger after 1 minute, 15 minutes, or 1 hour. If the trigger time is set to immediately, the bug is not present.

The poster suggests the bug is started when the WhatsApp Share Extension is used. Touch ID and Face ID authentication should trigger when someone wants to share something from WhatsApp on iOS Share Sheet, but that is not happening.

Access

Because of the bug, users can jump to the home screen from iOS Share and open WhatsApp without being stopped by Touch ID or Face ID. It is worth noting the attacker would still need device access and indeed for the iPhone to already be open. This bypass does not navigate past the device lockscreen.

That said, it is possible to access iOS Share Sheet from the photos app, which can be accessed without unlocking the device:

  1. Get to the iOS Share Sheet through any method
  2. Click on the WhatsApp icon in the iOS Share Sheet.
  3. While transitioning to the next screen, you observe that no FaceID or TouchID verification takes place if an option other than “Immediately” was set previously. Now just exit out to the iOS Home Screen. (If in some cases, it asks for FaceID or TouchID verification, just cancel it and try clicking on WhatsApp icon in the iOS Share Sheet again).
  4. Try to open WhatsApp and voila, it simply lets you inside WhatsApp without FaceID or TouchID verification.

Facebook-owned WhatsApp has yet to respond to the bug but the company must now be aware of its existence. We expect a fix to be issued soon, but in the meantime don’t reply on Touch ID or Face ID to keep the app locked down.