Facebook has patched a bug in its widely installed Messenger app for Android that could have allowed a remote attacker to call unsuspecting targets and listen to them before even they picked up the audio call.
The flaw was discovered and reported to Facebook by Natalie Silvanovich of Google’s Project Zero bug-hunting team last month on October 6 with a 90-day deadline, and impacts version 218.104.22.168.119 (and before) of Facebook Messenger for Android.
In a nutshell, the vulnerability could have granted an attacker who is logged into the app to simultaneously initiate a call and send a specially crafted message to a target who is signed in to both the app as well as another Messenger client such as the web browser.
“It would then trigger a scenario where, while the device is ringing, the caller would begin receiving audio either until the person being called answers or the call times out,” Facebook’s Security Engineering Manager Dan Gurfinkel said.
According to a technical write-up by Silvanovich, the flaw resides in WebRTC’s Session Description Protocol (SDP) — which defines a standardized format for the exchange of streaming media between two endpoints — allowing an attacker to send a special type of message known as “SdpUpdate” that would cause the call to connect to the callee’s device before being answered.
Audio and video calls via WebRTC typically does not transmit audio until the recipient has clicked the accept button, but if this “SdpUpdate” message is sent to the other end device while it is ringing, “it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee’s surroundings.”
In some ways, the vulnerability bears similarity to a privacy-eroding flaw that was reported in Apple’s FaceTime group chats feature last year that made it possible for users to initiate a FaceTime video call and eavesdrop on targets by adding their own number as a third person in a group chat even before the person on the other end accepted the incoming call.
The gaffe was deemed so severe that Apple pulled the plug on FaceTime group chats altogether before it addressed the issue in a subsequent iOS update.
But unlike the FaceTime bug, exploiting the issue isn’t that easy. The caller would have to already have the permissions to call a specific person — in other words, the caller and the callee would have to be Facebook friends to pull this off.
What’s more, the attack also necessitates that the bad actor uses reverse engineering tools like Frida to manipulate their own Messenger application to force it to send the custom “SdpUpdate” message.
Silvanovich was awarded a $60,000 bug bounty for reporting the issue, one among Facebook’s three highest bug bounties to date, which the Google researcher said she was donating to a non-profit named GiveWell.
This not the first time Silvanovich has found critical flaws in messaging apps, who has previously unearthed a number of issues in WhatApp, iMessage, WeChat, Signal, and Reliance JioChat, some of which have found the “callee device to send audio without user interaction.”