Facebook Messenger Bug Allows Spying on Android Users

  • Elizabeth
  • published date: 2020-11-20 10:11:00 UTC

The company patched a vulnerability that could connected video and audio calls without the knowledge of the person receiving them.

<div class="c-article__content js-reading-content"> <p>Facebook has patched a significant flaw in the Android version of Facebook Messenger that could have allowed attackers to spy on users and potentially identify their surroundings without them knowing.</p> <p>Natalie Silvanovich, a security researcher at <a href="" target="_blank" rel="noopener noreferrer">Google Project Zero</a>, discovered the vulnerability, which she said existed in the app’s implementation of WebRTC, a protocol used to make audio and video calls by “exchanging a series of thrift messages between the callee and caller,” she explained a <a href="" target="_blank" rel="noopener noreferrer">description</a> posted online.</p> <p>In a normal scenario, audio from the person making the call would not be transmitted until the person on the other end accepts the call. This is rendered in the app by either not calling setLocalDescription until the person being called has clicked the “accept button,” or setting the audio and video media descriptions in the local Session Description Protocol (SDP) to inactive and updating them when the user clicks the button, Silvanovich explained.</p> <p><a href=""><img loading="lazy" class="aligncenter wp-image-141989 size-full" src="" alt="" width="700" height="50"></a></p> <p>“However, there is a message type that is not used for call set-up, SdpUpdate, that causes setLocalDescription to be called immediately,” she explained. “If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee’s surroundings.”</p> <p>Silvanovich provided a step-by-step reproduction of the issue in her report. Exploiting the bug would only take a few minutes; however, an attacker would already have to have permissions—i.e., be Facebook “friends” with the user–to call the person on the other end.</p> <p>Silvanovich disclosed the bug to Facebook on Oct. 6; the company fixed the flaw on Nov. 19, she reported. Facebook has had a bug bounty program <a href="" target="_blank" rel="noopener noreferrer">since 2011</a>.</p> <p>In fact, Silvanovich’s identification of the Messenger bug—which earned her a $60,000 bounty–was one of several that the company highlighted in a <a href="" target="_blank" rel="noopener noreferrer">blog post</a> published Thursday celebrating the program’s 10<sup>th</sup> anniversary.</p> <p>“After fixing the reported bug server-side, our security researchers applied additional protections against this issue across our apps that use the same protocol for 1:1 calling,” Dan Gurfinkel, Facebook security engineering manager, wrote in the post. He added that Silvanovich’s award is one of the three highest ever awarded, “which reflects its maximum potential impact.”</p> <p>Facebook recently bolstered its bug bounty offering with <a href="A%20loyalty%20program%20as%20part%20of%20its%20bug-bounty%20offering,%20which%20aims%20to%20further%20incentivize%20researchers%20to%20find%20vulnerabilities%20in%20its%20platform." target="_blank" rel="noopener noreferrer">a new loyalty program</a> that the company claims is the first of its kind. The program, called Hacker Plus, aims to further incentivize researchers to find vulnerabilities in its platform by offering bonuses on top of bounty awards, access to more products and features that researchers can stress-test, and invites to Facebook annual events.</p> <p>Silvanovich chose to donate the “generously awarded” bounty to <a href="" target="_blank" rel="noopener noreferrer">GiveWell</a>, a nonprofit that organizations charitable donations to ensure their maximum impact, she disclosed <a href="" target="_blank" rel="noopener noreferrer">on Twitter</a>.</p> <p>Silvanovich is among a number of Google Project Zero researchers who have been active lately at identifying serious vulnerabilities in popular apps. In the past month, researchers from the group have not only discovered significant <a href="" target="_blank" rel="noopener noreferrer">zero-day vulnerabilities</a> in Google’s own <a href="" target="_blank" rel="noopener noreferrer">Chrome browser</a>, but also in <a href="" target="_blank" rel="noopener noreferrer">Apple’s mobile devices</a> and <a href="" target="_blank" rel="noopener noreferrer">Microsoft Windows</a>.</p> <footer class="c-article__footer"> <div class="c-article__footer__container"> <div class="c-article__footer__col"> <a href="#discussion" class="c-button c-button--secondary">Write a comment</a> </div> <div class="c-article__footer__col"> <div class="c-article__sharing"> <p><strong>Share this article:</strong></p> <nav class="c-nav-sharing"> <div class="social-likes social-likes_notext" data-title="Facebook Messenger Bug Allows Spying on Android Users" data-url="" data-counters="yes" data-zeroes="yes"><div class="facebook" title="Share via Facebook"></div> <div class="twitter" title="Share via Twitter"></div><div class="linkedin" title="Share via LinkedIn"></div> <div class="reddit" title="Share via Reddit"></div> <div class="flipboard" title="Share via Flipboard"></div> </div> </nav> </div> </div> </div> <div class="c-article__footer__container"> <div class="c-article__footer__col"></div> <div class="c-article__footer__col"> <ul class="c-list-categories"> <li><a class="c-label c-label--secondary-transparent" href="">Mobile Security</a></li> <li><a class="c-label c-label--secondary-transparent" href="">Vulnerabilities</a></li> </ul> </div> </div> </footer> </div>