A researcher from Google’s Project Zero has discovered a flaw in Facebook’s Messenger calling function, which would allow an attacker to exploit for listening to the target’s surroundings without his consent. Facebook has rolled out a patch and rewarded the researcher with $60K bounty. This is patched through a server-side update.
Bug in Messenger Lets Attackers Spy on You!
Facebook’s Messenger, which is having over a billion downloads from Google Playstore alone has a flaw in its calling functionality, that’ could let an attacker spoof target’s sounds without his consent. This was discovered by Natalie Silvanovich, a researcher from Google’s Project Zero.
The attacker is supposed to send a message called SdpUpdate to the target, which fools the target’s Messenger that he may have lifted the call already, thus sending the sounds even before accepting the call. This was spotted in Facebook Messenger for Android client in version v2184.108.40.206.119, and updated by Facebook through a server-side update.
Technical details of the Facebook calling bughttps://t.co/wwL9gedW8c
— Natalie Silvanovich (@natashenka) November 19, 2020
As Silvanovich detailed, “the callee does not transmit audio until the user has consented to accept the call, which is implemented by either not calling setLocalDescription until the callee has clicked the accept button, or setting the audio and video media descriptions in the local SDP to inactive and updating them when the user clicks the button (which strategy is used depends on how many endpoints the callee is logged into Facebook on).”
The researcher has also published a Proof-of-concept (PoC) exploit code based on Python in Google’s Project Zero bug tracker. According to that, the bug triggered by the attacker goes through the following exploit phases;
- Waits for the offer to be sent, and saves the sdpThrift field from the offer
- Sends an SdpUpdate message with this sdpThift to the target
- Sends a fake SdpAnswer message to the *attacker* so the device thinks the call has been answered and plays the incoming audio
Facebook has awarded Silvanovich with $60,000 bug bounty. And when she decided to donate all this money to GiveWell Maximum Impact Fund. Soon after this, Facebook’s Product Security Manager, Collin Greene announced to match Silvanovich’s decision, thus doubling the donation to GiveWell to $120,000.
Other Trending News:- News