Facebook Patches Messenger Bug That Would Allow Audio and Video Spying
Facebook has released a patch to their popular Messenger application for Android phones. The discovered flaw would allow attackers to spy on users through both audio and video means. Natalie Silvanovich, a researcher at Google Project Zero, discovered the vulnerability, which she claims existed in the app’s implementation of WebRTC, an open framework for the web that enables Real-Time Communications (RTC) capabilities. WebRTC is used by Messenger to make audio and video calls between users.
In a description posted online, Silvanovich explains that normally, audio from the person making the call would not be transmitted until the intended receiver accepts the call. The application accomplishes this by either not calling the function setLocalDescription until the person being called has clicked the “accept” button, or by setting the audio and video media descriptions in the local Session Description Protocol (SDP) to inactive and updating them when the user clicks the button.
“However, there is a message type that is not used for call set-up, SdpUpdate, that causes setLocalDescription to be called immediately,” she continued. “If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee’s surroundings.”
Silvanovich provided a step-by-step reproduction of the issue in her report. Exploiting the bug would only take a few minutes; however, an attacker would already have to have permissions—i.e., be Facebook “friends” with the user–to call the person on the other end. Silvanovich disclosed the bug to Facebook on Oct. 6; the company fixed the flaw on Nov. 19, she reported.
Sources: