WhatsApp fixes Face ID and Touch ID authentication bypass

Pierluigi Paganini February 22, 2019

WhatsApp recently implemented Face ID and Touch ID authentication for Apple iOS app, but unfortunately, it can be easily bypassed.

Earlier February, WhatsApp introduced Face ID and Touch ID authentication for its iOS app to allow users to lock the application using the Face ID facial recognition and Touch ID fingerprint systems.

The security feature can be enabled from Settings -> Account -> Privacy -> Screen Lock menu item. Users can choose the authentication method (Face ID or Touch ID) and set up the interval of time used by the device to lock itself (immediately, after 1 minute, after 15 minutes, or after 1 hour).

A Reddit user discovered that the authentication method chosen by the owner could be bypassed if the duration is not set to “immediately” and the owner is using the Share Sheet in iOS. The Share Sheet allows sharing items or contents through various media like Facebook, Twitter.

Below the step by step procedure to bypass the authentication.

“The latest FaceID and TouchID integration with WhatsApp has a privacy screen lock bypass bug for the WhatsApp application” wrote the Reddit user.

  1. Get to the iOS Share Sheet through any method, for example through the Photos app.
  2. Click on the WhatsApp icon in the iOS Share Sheet.
  3. While transitioning to the next screen, you observe that no FaceID or TouchID verification takes place if an option other than “Immediately” was set previously. Now just exit out to the iOS Home Screen. (If in some cases, it asks for FaceID or TouchID verification, just cancel it and try clicking on WhatsApp icon in the iOS Share Sheet again).
  4. Try to open WhatsApp and voila, it simply lets you inside WhatsApp without FaceID or TouchID verification.
Face ID WhatsApp

The good news is that WhatsApp already addressed the bug with the release of the latest version of the iOS app.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – iOS Face ID, authentication bypass flaw)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment