Facebook Messenger Bug Allows Spying on Android Users
Facebook has recently just patched a significant flaw in the Android version of Facebook Messenger that could have allowed attackers to spy on users and potentially identify their surroundings without them knowing. The vulnerability, which could have been abused to spy on Facebook users via their Android phones, was found during a security audit by Natalie Silvanovich, a researcher working for Google's Project Zero security team.
In a bug report made public today, Natalie Silvanovich, a security researcher at Google Project Zero, said the bug resided in the WebRTC protocol that the Messenger app is using to support audio and video calls.
In a normal scenario, audio from the person making the call would not be transmitted until the person on the other end accepts the call. This is rendered in the app by either not calling setLocalDescription until the person being called has clicked the “accept button,” or setting the audio and video media descriptions in the local Session Description Protocol (SDP) to inactive and updating them when the user clicks the button, Silvanovich explained.
Exploiting the bug takes a few seconds, according to Silvanovich's bug report. The Google researcher reported the issue to Facebook last month, and the social media giant patched it on 11/19/2020 in an update to its Messenger for Android app.
In fact, Silvanovich’s identification of the Messenger bug—which earned her a $60,000 bounty–was one of several that the company highlighted in a blog post published Thursday celebrating the program’s 10th anniversary.
“After fixing the reported bug server-side, our security researchers applied additional protections against this issue across our apps that use the same protocol for 1:1 calling,” Dan Gurfinkel, Facebook security engineering manager, wrote in the post. He added that Silvanovich’s award is one of the three highest ever awarded, “which reflects its maximum potential impact.”
Silvanovich chose to donate the “generously awarded” bounty to GiveWell, a nonprofit that organizations charitable donations to ensure their maximum impact, she disclosed on Twitter. Silvanovich is among a number of Google Project Zero researchers who have been active lately at identifying serious vulnerabilities in popular apps. In the past month, researchers from the group have not only discovered significant zero-day vulnerabilities in Google’s own Chrome browser, but also in Apple’s mobile devices and Microsoft Windows.