Facebook Messenger app for Android had a critical flaw that allowed callers to listen to other users’ surroundings without permission before the person on the other end picked up the call.
Attackers could have exploited this bug by sending a special type of message known as SdpUpdate that would cause the call to connect to the callee’s device before it was answered.
The flaw was discovered and reported to Facebook by Natalie Silvanovich of Google’s Project Zero bug and it was found on version 222.214.171.124.119 of Facebook Messenger for Android last month
Silvanovich said that if that message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, that would allow an attacker to monitor the callee’s surroundings.
Usually, the callee does not transmit audio until the user has consented to accept the call, which is implemented by either not calling setLocalDescription until the callee has clicked the accept button, or setting the audio and video media descriptions in the local SDP to inactive and updating them when the user clicks the button.
Silvanovich also provided Python-based proof-of-concept (PoC) exploit code to reproduce the issue on Project Zero’s bug tracker.
Facebook has fixed the issue now and in order to reproduce the fixed issue, an audio call has to be made to the target device after running the PoC on the attacker’s device.
After waiting a few seconds, the attacker can hear audio from the target’s surroundings through their device’s speakers.
To automatically connect the call, the PoC has to follow some steps:
- Waits for the offer to be sent, and saves the sdpThrift field from the offer
- Sends a SdpUpdate message with this sdpThift to the target
- Sends a fake SdpAnswer message to the *attacker* so the device thinks the call has been answered and plays the incoming audio.
After fixing the bug reported by Project Zero server-side, Facebook’s security researchers applied additional protections across other apps that use the same protocol for 1:1 calling.
The company also awarded Silvanovich with a $60,000 bounty for finding and disclosing this Messenger for Android bug.
Dan Gurfinkel, Facebook’s Security Engineering Manager said that this report is among their three highest bug bounties at $60,000, which reflects its maximum potential impact. The researcher decided to donate the entire sum to the GiveWell Maximum Impact Fund.
Facebook Messenger for Android has been installed on more than 1 billion Android devices according to the app’s official Play Store page.
Image Credits : New York Post