Logic bugs found in popular apps, including Signal and FB Messenger

Flaws in popular messaging apps, such as Signal and FB Messenger allowed to force a target device to transmit audio to an attacker device.

Google Project Zero security researcher Natalie Silvanovich found multiple flaws in popular video conferencing apps such as Signal and FB Messenger, that allowed to force a target device to transmit audio of the surrounding environment to an attacker device.

The bugs are similar to a logic flaw discovered in January 2019 in Group FaceTime that allowed to hear a person’s audio before he answers,

The logic flaws affect Signal, Google Duo, Facebook Messenger, JioChat, and Mocha messaging apps, the good news is that they have been already fixed by the development teams.

“The ability to force a target device to transmit audio to an attacker device without gaining code execution was an unusual and possibly unprecedented impact of a vulnerability. Moreover, the vulnerability was a logic bug in the FaceTime calling state machine that could be exercised using only the user interface of the device.” reads the post published by Silvanovich. “While this bug was soon fixed, the fact that such a serious and easy to reach vulnerability had occurred due to a logic bug in a calling state machine — an attack scenario I had never seen considered on any platform — made me wonder whether other state machines had similar vulnerabilities as well. “

Most of video conferencing applications use WebRTC, while peers could establish WebRTC connections by exchanging call set-up information in Session Description Protocol (SDP), this process is called signalling.

In a typical WebRTC connection, the caller starts off by sending an SDP offer to the received, which in turn responds with an SDP answer. 

The messages contain most information that is needed to transmit and receive media, including codec support, encryption keys and much more. 

“Theoretically, ensuring callee consent before audio or video transmission should be a fairly simple matter of waiting until the user accepts the call before adding any tracks to the peer connection. However, when I looked at real applications they enabled transmission in many different ways. Most of these led to vulnerabilities that allowed calls to be connected without interaction from the callee.” continues the post.

The logical flaws also potentially allowed the caller to force a callee device to transmit audio or video data.

Silvanovich discovered that data is shared even if the receiver has not interacted with the application to answer the call.

• Signal addressed the logical bug in the Android version in September 2019. “The application didn’t check that the device receiving the connect message was the caller device, so it was possible to send a connect message from the caller device to the callee. This caused the audio call to connect, allowing the caller to hear the callee’s surroundings”
• JioChat (flaw in the Android app fixed in July 2020) and Mocha (flaw in the Android app fixed in August 2020). “This design has a fundamental problem, as candidates can be optionally included in an SDP offer or answer. In that case, the peer-to-peer connection will start immediately, as the only thing preventing the connection in this design is the lack of candidates, which will in turn lead to transmission from input devices. I tested this by using Frida to add candidates to the offers created by each of these applications. I was able to cause JioChat to send audio without user consent, and Mocha to send audio and video. Both of these vulnerabilities were fixed soon after they were filed by filtering SDP on the server.

• Facebook Messenger addressed the bug in November 2020.
• Google Duo solved the bug in December 2020.

“The majority of the bugs did not appear to be due to developer misunderstanding of WebRTC features. Instead, they were due to errors in how the state machines are implemented. That said, a lack of awareness of these types of issues was likely a factor. It is rare to find WebRTC documentation or tutorials that explicitly discuss the need for user consent when streaming audio or video from a user’s device.” concludes the expert.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, mobile apps)

[adrotate banner=”5″]

[adrotate banner=”13″]