Application Security , Breach Response , Data Breach

WhatsApp Flaw Could Enable iOS Message Snooping

Facebook Promises Quick Patch for Face ID and Touch ID Bypassing Problem
WhatsApp Flaw Could Enable iOS Message Snooping

Facebook says it will soon fix a bug in WhatsApp that could allow circumvention of a security feature launched just last month for Apple devices.

See Also: 10 Incredible Ways You Can Be Hacked Through Email & How To Stop The Bad Guys

In January, WhatsApp turned on compatibility with Face ID and Touch ID, which are Apple's biometric security features. The upgrade allows users to set a time interval from which the app would ask for authentication.

Users can choose "immediately" or postpone having to reauthenticate until after one minute, 15 minutes or an hour. It's a convenience-versus-security tradeoff feature that's common in many mobile apps. Those who frequently open WhatsApp may not want to be nagged to authenticate again.

But a Reddit user described how authentication can by bypassed if a user hasn't set the time interval to "immediately."

A Facebook spokesman says: "We are aware of the issue and a fix will be available shortly. In the meantime, we recommend that people set the screen lock option to 'immediately'."

Circumvention

The authentication requirement can be circumvented through Apple's sharing extensions, which allow material from one application to be shared with another. For example, someone can access a web page through a mobile browser, then send a link to the content through to an email account.

"We are aware of the issue and a fix will be available shortly. In the meantime, we recommend that people set the screen lock option to 'immediately.'"
—Facebook

The Reddit post describes the circumvention as this: Once the sharing extensions have been opened, a user can select the WhatsApp icon. No authentication is required when the app starts. If someone then exits to the iOS home screen and opens WhatsApp again, no authentication is required.

The post notes that if WhatsApp does ask for Touch ID or Face ID, trying the sharing extension trick a second time may work.

Low-ish Risks

The bug probably doesn't pose a huge risk as long as users keep control of their device.

But in certain scenarios, this could allow someone to read WhatsApp messages. iOS doesn't require users to set a passcode to lock the phone, so a device with no passcode would be vulnerable to this if left unattended.

Alternatively, most users do set a passcode or Face ID or Touch ID. Users can also set a time period in which reauthentication is required at a device level, although it is automatically set to "immediately" if Touch ID or Apple Pay is enabled.

If a user requires immediate authentication after a device has been locked, an attacker would have to get past that barrier first. But if no authentication on the phone itself has been enabled and the device is left unattended, this could conceivably be useful.

The bug is another gaff for Facebook that follows a string of other incidents that have brought regulatory attention, lawsuits and calls for better data stewardship.

Facebook has faced criticism for a failure to stop misleading content on its network and allowing Russian actors to influence the 2016 U.S. presidential election. The social network has since pledged increased investments in security and human reviewers.

It also is still managing the fallout from the Cambridge Analytica scandal - the voter-profiling firm that improperly obtained profile details for 87 million users. The U.S. Federal Trade Commission is reportedly considering a fine of up to $5 billion against Facebook after concluding its investigation into the social network's privacy controls and sharing of personal data (see: Report: Facebook Faces Multibillion Dollar US Privacy Fine).


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.