Application Security , Breach Response , Data Breach
Facebook Says Problem Will Be Patched Soon(jeremy_kirk) • February 21, 2019Facebook says it will soon fix a bug in WhatsApp that could allow circumvention of a security feature launched just last month for Apple devices.
See Also: Live Webinar: Building Secure Delivery Pipelines with Docker, Kubernetes, and Trend Micro
In January, WhatsApp turned on compatibility with Face ID and Touch ID, which are Apple's biometric security features. The upgrade let users set a time interval from which the app would ask for authentication.
Users can choose "immediately" or postpone having to reauthenticate until after one minute, 15 minutes or an hour. It's a convenience-versus-security trade off feature that's common in many mobile apps. Those who frequently open WhatsApp may not want to be nagged to authenticate again.
But a Reddit user described how authentication can by bypassed if someone hasn't set time interval to "immediately."
A Facebook spokesman says: "We are aware of the issue and a fix will be available shortly. In the meantime, we recommend that people set the screen lock option to 'immediately'."
Sharing...WhatsApp Messages
The authentication requirement can be circumvented through Apple's sharing extensions, which allow material from one application to be shared with another. For example, someone can access a web page through a mobile browser, then send a link to the content through to an email account.
The Reddit post describes the circumvention as this: Once the sharing extensions have been opened, someone can select the WhatsApp icon. No authentication is required when the app starts. If someone then exits to the iOS home screen and opens WhatsApp again, no authentication is required.
The post notes that if WhatsApp does ask for Touch ID or Face ID, trying the sharing extension trick a second time may work.
Low-ish Risks
The bug probably doesn't pose a huge risk for people as long as they keep control of their device.
But in certain scenarios, this could allow someone to read WhatsApp messages. iOS doesn't require someone to set a passcode to lock the phone, so a device with no passcode would be vulnerable to this if left unattended.
Alternatively, most users do set a passcode or Face ID or Touch ID. Users can also set a time period in which re-authentication is required at a device level, although it is automatically set to "immediately" if Touch ID or Apple Pay is enabled.
If someone requires immediate authentication after a device has been locked, an attacker would have to get past that barrier first. But if no authentication on the phone itself has been enabled and the device is left unattended, this could conceivably be useful.
The bug is another gaff for Facebook that follows a string of other incidents that have brought regulatory attention, lawsuits and calls for better data stewardship.
Facebook has faced criticism for a failure to stop misleading content on its network and allowing Russian actors to influence the 2016 U.S. presidential election. The social network has since pledged investments in security and human reviewers.
It also is still managing the fallout from the Cambridge Analytica scandal - the voter-profiling firm that improperly obtained profile details for 87 million users. The FTC is reportedly considering a multi-billion fine against Facebook, an investigation that focuses on the social network's privacy controls and sharing of personal data (see Report: Facebook Faces Multibillion Dollar US Privacy Fine).