Facebook has addressed a major security issue in its Messenger for Android app that could have allowed threat actors to spy on users by placing and connecting Messenger audio calls without their interaction.
The vulnerability was discovered by white-hat hacker Natalie Silvanovich, from Google’s Project Zero team.
The flaw resides in the Session Description Protocol (SDP) of WebRTC protocol, which is implemented in the Messenger app to support audio and video calls.
The SDP protocol handles session data for WebRTC connections, and Silvanovich discovered that is possible to use an SDP message to approve WebRTC connections without any user interaction.
“However, there is a message type that is not used for call set-up, SdpUpdate, that causes setLocalDescription to be called immediately. If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee’s surroundings.” reads the report published by Silvanovich.
Silvanovich also published a PoC code that was tested on version 2184.108.40.206.119 of Facebook Messenger for Android.
The issue, which is subject to the Google 90 day disclosure deadline, was reported to Facebook in October, and the social network giant addressed ii on November 17, 2020. Facebook released an update to its Messenger for Android app on November 19, 2020.
“It would then trigger a scenario where, while the device is ringing, the caller would begin receiving audio either until the person being called answers or the call times out. To exploit this issue, an attacker would have to already have the permissions to call this particular person by passing certain eligibility checks (e.g. being friends on Facebook). They’d also need to use reverse engineering tools to manipulate their own Messenger application to force it to send a custom message.” reads the post published by Facebook. The company also awarded $60,000 the bug as part of its bug bounty program.
The good news is that Silvanovich is a myth and has chosen to donate the payout to GiveWell, a non-profit that coordinates various charity activities.
In October, 2018, Silvanovich discovered a similar vulnerability in WhatsApp that could have been exploited by attackers to crash victims instant messaging app simply by placing a call. The vulnerability was a memory heap overflow issue.
(SecurityAffairs – hacking, Facebook Messenger)