Reports point to a flaw in the integration that means anyone can bypass the app lockscreen to open WhatsApp without using Touch ID or Face ID. First observed by Redditor d_X_ter, the bug seems to work when the user has set authentication to trigger after 1 minute, 15 minutes, or 1 hour. If the trigger time is set to immediately, the bug is not present. The poster suggests the bug is started when the WhatsApp Share Extension is used. Touch ID and Face ID authentication should trigger when someone wants to share something from WhatsApp on iOS Share Sheet, but that is not happening.
Access
Because of the bug, users can jump to the home screen from iOS Share and open WhatsApp without being stopped by Touch ID or Face ID. It is worth noting the attacker would still need device access and indeed for the iPhone to already be open. This bypass does not navigate past the device lockscreen. That said, it is possible to access iOS Share Sheet from the photos app, which can be accessed without unlocking the device: Facebook-owned WhatsApp has yet to respond to the bug but the company must now be aware of its existence. We expect a fix to be issued soon, but in the meantime don’t reply on Touch ID or Face ID to keep the app locked down.
