Google Project Zero specialist Natalie Silvanovich discovered a dangerous bug in Facebook Messenger for Android and received from the social network $60,000. The problem allowed an attacker to make audio calls and connect to already active calls without the awareness of the callers.
In her report, the specialist writes that the problem was related to the operation of the WebRTC puncture, which Messenger uses for audio and video calls, namely, its Session Description Protocol (SDP).This protocol handles session data for WebRTC connections, and Silvanovich discovered that SDP messages could be abused by getting auto-approval for a WebRTC connection without any user interaction. In this case, the attack takes a few seconds.
Typically, the audio signal is only transmitted if the user has agreed to accept the call by pressing the answer button (at this point is called setLocalDescription).
The specialist reported the problem to Facebook developers last month, and currently the vulnerability has already been fixed. On Twitter, Silvanovich said that for finding this error company has paid $60,000 through the bug bounty program, and the researcher will donate this money to the charity GiveWell, and Facebook, in turn, will double the donation amount.
GiveWell is a nonprofit organization that measures the performance of charities and focuses on effective altruism.
Thus, this bug has become one of the highest paid vulnerabilities in the history of Facebook, and the company’s engineers note that the “cost” of a vulnerability in this case is directly proportional to its potential danger.
Let me remind you that Facebook expanded bug bounty program for third-party services.