WhatsApp Flaw Could Enable iOS Message SnoopingFacebook Promises Quick Patch for Face ID and Touch ID Bypassing Problem
Facebook says it will soon fix a bug in WhatsApp that could allow circumvention of a security feature launched just last month for Apple devices.
In January, WhatsApp turned on compatibility with Face ID and Touch ID, which are Apple's biometric security features. The upgrade allows users to set a time interval from which the app would ask for authentication.
Users can choose "immediately" or postpone having to reauthenticate until after one minute, 15 minutes or an hour. It's a convenience-versus-security tradeoff feature that's common in many mobile apps. Those who frequently open WhatsApp may not want to be nagged to authenticate again.
But a Reddit user described how authentication can by bypassed if a user hasn't set the time interval to "immediately."
A Facebook spokesman says: "We are aware of the issue and a fix will be available shortly. In the meantime, we recommend that people set the screen lock option to 'immediately'."
The authentication requirement can be circumvented through Apple's sharing extensions, which allow material from one application to be shared with another. For example, someone can access a web page through a mobile browser, then send a link to the content through to an email account.
"We are aware of the issue and a fix will be available shortly. In the meantime, we recommend that people set the screen lock option to 'immediately.'"
The Reddit post describes the circumvention as this: Once the sharing extensions have been opened, a user can select the WhatsApp icon. No authentication is required when the app starts. If someone then exits to the iOS home screen and opens WhatsApp again, no authentication is required.
The post notes that if WhatsApp does ask for Touch ID or Face ID, trying the sharing extension trick a second time may work.
The bug probably doesn't pose a huge risk as long as users keep control of their device.
But in certain scenarios, this could allow someone to read WhatsApp messages. iOS doesn't require users to set a passcode to lock the phone, so a device with no passcode would be vulnerable to this if left unattended.
Alternatively, most users do set a passcode or Face ID or Touch ID. Users can also set a time period in which reauthentication is required at a device level, although it is automatically set to "immediately" if Touch ID or Apple Pay is enabled.
If a user requires immediate authentication after a device has been locked, an attacker would have to get past that barrier first. But if no authentication on the phone itself has been enabled and the device is left unattended, this could conceivably be useful.
The bug is another gaff for Facebook that follows a string of other incidents that have brought regulatory attention, lawsuits and calls for better data stewardship.
Facebook has faced criticism for a failure to stop misleading content on its network and allowing Russian actors to influence the 2016 U.S. presidential election. The social network has since pledged increased investments in security and human reviewers.
It also is still managing the fallout from the Cambridge Analytica scandal - the voter-profiling firm that improperly obtained profile details for 87 million users. The U.S. Federal Trade Commission is reportedly considering a fine of up to $5 billion against Facebook after concluding its investigation into the social network's privacy controls and sharing of personal data (see: Report: Facebook Faces Multibillion Dollar US Privacy Fine).