WhatsApp bug lets users bypass new privacy controls

A security bug is allowing users to bypass new privacy controls introduced by Facebook-owned messaging service WhatsApp on iPhones this month, the service said on Wednesday after users posted about the problem on social media.

The disclosure comes as messaging and other applications race to improve security and privacy and as Facebook Inc is addressing criticism for not safeguarding privacy.

WhatsApp’s new privacy feature allows iPhone users to require Touch ID or Face ID — fingerprint or facial recognition — to open the app but users were able to bypass those log-in methods by using the iPhone’s “share” function to send files over WhatsApp.

Users can set verification to be required immediately upon log-in, meaning they would need to supply Touch ID or Face ID each time they open WhatsApp, or at intervals of up to an hour, allowing them to toggle between apps on the iPhone for that time period.

The security system fails when users select any interval option other than “immediately.”

A user named "u/de_X_ter" wrote a Reddit post detailing the problem on Tuesday. Reuters verified the bug.

“We are aware of the issue and a fix will be available shortly. In the meantime, we recommend that people set the screen lock option to ‘immediately,’” a WhatsApp spokesperson said by email.

Last month a user discovered a privacy flaw with Apple’s FaceTime group video chat software, which allowed iPhone users to see and hear others before they accept a video call. Apple rolled out an iOS update to fix the issue.

Apple did not immediately respond to questions on whether a similar fix would be required for the WhatsApp glitch.