Facebook has recently patched a critical flaw in the Android Facebook Messenger that could allow a malicious attacker to spy on users without knowing, this means that Facebook Messenger Bug allows spying on users.
A security researcher, Natalie Silvanovich at Google Project Zero that existed in app’s implementation of WebRTC, a protocol that is used make audio and video calls by exchanging a series of thrift messages between the callee and caller.
Normally when a person calls another person the would not be transmitted until the receiver accepts the call and that gets implemented either not calling setLocalDescription until another person receives the call or setting the audio and video media descriptions in the local SDP to inactive and updating them when the user clicks the button, Silvanovich explained.
However, there is a message type that is not used for call set-up, SdpUpdate, that causes setLocalDescription to be called immediately. If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee’s surroundings.Silvanovich explains
In the report, the researcher has demonstrated the step-by-step procedure to reproduce the flaw and to successfully exploit this Facebook Messenger bug t would take only a few minutes but this also needs that the attacker is the Facebook friend of the attacker in order to call.
Silvanovich reported the vulnerability to Facebook on Oct 6 and the vulnerability has now been fixed by Facebook. The tech giant also highlighted the Facebook Messanger bug in their 10th bug bounty program which rewarded her $60,000 bounty.
After fixing the reported bug server-side, our security researchers applied additional protections against this issue across our apps that use the same protocol for 1:1 calling