Facebook Messenger Bug Let Attackers Hear Users Without Their Consent

Facebook Starts Testing End-to-End Encryption For Audio/Video Calls in Messenger
Facebook Starts Testing End-to-End Encryption For Audio/Video Calls in Messenger

A researcher from Google’s Project Zero has discovered a flaw in Facebook’s Messenger calling function, which would allow an attacker to exploit for listening to the target’s surroundings without his consent. Facebook has rolled out a patch and rewarded the researcher with $60K bounty. This is patched through a server-side update.

Bug in Messenger Lets Attackers Spy on You!

Facebook’s Messenger, which is having over a billion downloads from Google Playstore alone has a flaw in its calling functionality, that’ could let an attacker spoof target’s sounds without his consent. This was discovered by Natalie Silvanovich, a researcher from Google’s Project Zero.

The attacker is supposed to send a message called SdpUpdate to the target, which fools the target’s Messenger that he may have lifted the call already, thus sending the sounds even before accepting the call. This was spotted in Facebook Messenger for Android client in version v284.0.0.16.119, and updated by Facebook through a server-side update.

As Silvanovich detailed, “the callee does not transmit audio until the user has consented to accept the call, which is implemented by either not calling setLocalDescription until the callee has clicked the accept button, or setting the audio and video media descriptions in the local SDP to inactive and updating them when the user clicks the button (which strategy is used depends on how many endpoints the callee is logged into Facebook on).”

The researcher has also published a Proof-of-concept (PoC) exploit code based on Python in Google’s Project Zero bug tracker. According to that, the bug triggered by the attacker goes through the following exploit phases;

  1. Waits for the offer to be sent, and saves the sdpThrift field from the offer
  2. Sends an SdpUpdate message with this sdpThift to the target
  3. Sends a fake SdpAnswer message to the *attacker* so the device thinks the call has been answered and plays the incoming audio

Facebook has awarded Silvanovich with $60,000 bug bounty. And when she decided to donate all this money to GiveWell Maximum Impact Fund. Soon after this, Facebook’s Product Security Manager, Collin Greene announced to match Silvanovich’s decision, thus doubling the donation to GiveWell to $120,000.

Other Trending News:-  News

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post
Instagram

Instagram will allow users to search using Keywords

Next Post
Instagram Users Can Now See Their Home Feed in Chronological Order

Facebook Sues a Man For Scraping Data of Over 100K Instagram Users

Related Posts