Ever wonder if someone is spying on what you’re doing online? What if someone is monitoring the messages you’ve received and sent on, let’s say, Facebook Messenger? What would your reaction be if someone is actually listening to your Messenger calls?
It’s appalling, right? Unfortunately, this has actually been the case with a Messenger bug that allows hackers to listen to your audio calls on the Android app.
The good thing though, Facebook was quick to fix this critical bug that spies on users without them knowing.
Messenger for Android bug has let hackers listen to audio calls
The issue was first discovered on Facebook by Natalie Silvanovich of Google’s Project Zero bug-hunting team. It was also reported this last October 6th, with a 90-day deadline. It affects version 2126.96.36.199.119 (and earlier) of Facebook Messenger’s Android app.
The said bug which was found in its widely installed Messenger app for Android, allows hackers to listen to calls made to unsuspecting targets before they can even pick up the call.
It seems like the vulnerability grants an attacker who is logged into the app, to call and send personalized messages at the same time, to an unsuspecting victim who is signed in to both the Messenger app and the web browser.
According to Facebook’s Security Engineering Manager, Dan Gurfinkel, “…it would then trigger a scenario where, while the device is ringing, the caller would begin receiving audio either until the person being called answers, or the call times out.”
As stated in Silvanovich’s technical write-up, the flaw occupies the WebRTC’s Session Description Protocol (SDP) which defines a standardized format for the exchange of streaming media between two endpoints. This allows an attacker to send a specially-crafted message known as “SdpUpdate” that allows a call to connect to the victim’s device even before the call has been answered.
Video and audio calls via WebRTC normally do not transmit audio until the recipient has accepted the call. However, the “SdpUpdate” message sent to the other device while it is ringing will “cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee’s surroundings.”
Facebook fixed the Messenger bug
This flaw is said to be similar to Apple’s FaceTime group chats feature last year. Apple faced a technical issue that allowed users to initiate a FaceTime call and eavesdrop on victims simply by adding their own numbers as a third person in a group chat –– even before the person on the other line accepts the call.
It was thought to be so serious that as a result, Apple pulled the plug on FaceTime group chats completely before it addressed the issue in a succeeding iOS update.
Unlike FaceTime’s bug, exploiting the flaw is not a piece of cake. The caller would have to have permission to call a specific person. Strictly speaking, the attacker and the victim would have to be friends on Facebook to make this possible.
And what’s more? The attack must also mean that the attacker uses reverse engineering tools such as Frida to direct their own Messenger app to forcefully send the custom “SdpUpdate” message.
Facebook awarded Silvanovach a $60,000 bug bounty for reporting the issue to the company –– one of Facebook’s three highest bug bounties to date.