A Facebook Messenger Bug in the Android version was recently patched.
And as it’s mentioned in the headline, this bug could have allowed hackers to spy on Android users to identify their “surroundings” without notice.
These types of worrying Spyware events are more prevalent with each passing year.
Do you want to know more details about it?
Spyware Alert Caused By Facebook Messenger Bug
A researcher from Google Project Zero discovered this vulnerability.
It was Natalie Silvanovich, who said it existed in the app’s implementation of WebRTC (the protocol used for audio and video calls).
She explained on an online post that, it works by “exchanging a series of thrift messages between the callee and caller.”
Dan Gurfinkel (Security Engineering Manager of Facebook) expanded…
“It would then trigger a scenario where, while the device is ringing, the caller would begin receiving audio either until the person being called answers or the call times out.”
Normally, the caller’s audio wouldn’t be transmitted until the other person answers.
According to Silvanovich’s bug report, exploiting the bug just takes a few seconds. However, the attacker would also need permissions (as being a Facebook friend with the user) before executing the bug.
Inside the report, she provided a step-by-step reproduction of the issue.
“This is rendered in the app by either not calling setLocalDescription until the person being called has clicked the “accept button,” or setting the audio and video media descriptions in the local Session Description Protocol (SDP) to inactive and updating them when the user clicks the button.”
The weakness bears a comparability to a security disintegrating imperfection that was accounted for in Apple’s FaceTime group chats happening a year ago that made it workable for clients to start a FaceTime video call and snoop on focuses by adding their own number as a third individual in a gathering talk even before the individual on the opposite end acknowledged the approaching call.
The blunder was considered extreme to the point that Apple reassessed FaceTime bunch visits by and large before it tended to the issue in an ensuing iOS update.
Unlike the mentioned FaceTime bug, exploiting this issue wasn’t easy. The bad actor would also be using reverse engineer tools (Frida, for example) to manipulate the Messenger app to force it and attack by sending custom “SdpUpdate” messages.
Dan Gurfinkel also wrote in the post, that “after fixing the reported bug server-side, our security researchers applied additional protections against this issue across our apps that use the same protocol for 1:1 calling.”
He added: “Silvanovich’s award is one of the three highest ever awarded, which reflects its maximum potential impact.”
Silvanovich didn’t doubt to comment about the $60,000 bug bounty awarded to her by Facebook for reporting the bug, in a Twitter message.
Facebook generously awarded a bounty of $60,000 for this bug, which I’m donating to the @GiveWell Maximum Impact Fund https://t.co/JvZt9Fw4nx
— Natalie Silvanovich (@natashenka) November 19, 2020
As you can notice, the Google researcher preferred to donate it to a non-profit that manages charity activities for max funds usage (GiveWell).
While this might or not be the first thing that comes to your mind on doing after receiving $60k, it’s clear that’s not the first time she finds critical flaws in Apps. More specifically, on messaging ones like WhatsApp, iMessage, WeChat, and Signal.
Now, speaking of that: Facebook is rising their bug bounty offerings through their new loyalty program (called Hacker Plus).
The company claims it’s the first of its kind. And its goal is to keep incentivizing cybersecurity experts and researchers to find vulnerabilities in their platforms, as with the case of the Messenger app.
Those capable enough to find them will acquire big bounty awards, plus bonuses, like access to more products and features to stress-test. As well as an invitation to Facebook annual events.
Is this something you would like?
If you do, don’t sleep on it and jump to our Bug Bounty blog post to learn more about this role.
But if you’re a business owner, then I doubt you’re barely interested.
Don’t worry, we also have rewards for you: Would you mind to talk about it?