Vulnerability in new WhatsApp biometrics feature is found

A security flaw has been found in the biometric analysis function of the messaging service

Network security and ethical hacking specialists from the International Institute of Cyber Security report the finding of vulnerability in one of the recently added privacy features to the WhatsApp messaging service.

A couple of weeks ago, WhatsApp enabled biometric recognition to access the application with the purpose of protecting the sensitive content of users when the phone is unlocked, a very useful function but apparently presents some drawbacks on its implementation. For now, this feature is only available for some Apple devices.

According to experts in network security, a user of the social network Reddit found a drawback of security in this new feature: A user can access WhatsApp from the iOS Share Sheet without having to go through biometric identification. If the user configured an immediate biometric login is not affected by this incident; however, if the user selected a time interval, access to the Share Sheet resets the timer, and anyone could access the app without verifying its identity.

According to the user, the process to exploit this fault is:

  • Access iOS Share Sheet through the photo app, for example
  • Click on the WhatsApp icon in iOS Share Sheet
  • During the transition to the next screen, note that the FaceID or TouchID check is not performed if a different option was set to “immediately” in advance. Now just go to the IOS home screen
  • Try to open WhatsApp and ready, you can access WhatsApp without taking biometric identification (either by facial recognition or fingerprints)

Facebook Network security teams, the proprietary company of WhatsApp, claim that they have already identified the vulnerability; the social network ensures that a correction will be implemented as soon as possible.

“We have knowledge of this error; a solution will be available shortly. For now, we recommend users to configure the screen block interval in the ‘ immediately’ option to not be exposed to the exploitation of this flaw”, mentions a company spokesman.