Bug in Facebook Messenger for Android allowed connecting to user conversations

Bug in Facebook Messenger for Android
Written by Emma Davis

Google Project Zero specialist Natalie Silvanovich discovered a dangerous bug in Facebook Messenger for Android and received from the social network $60,000. The problem allowed an attacker to make audio calls and connect to already active calls without the awareness of the callers.

In her report, the specialist writes that the problem was related to the operation of the WebRTC puncture, which Messenger uses for audio and video calls, namely, its Session Description Protocol (SDP).

This protocol handles session data for WebRTC connections, and Silvanovich discovered that SDP messages could be abused by getting auto-approval for a WebRTC connection without any user interaction. In this case, the attack takes a few seconds.

Typically, the audio signal is only transmitted if the user has agreed to accept the call by pressing the answer button (at this point is called setLocalDescription).

There is a type of message that is not used to establish connections, this is SdpUpdate. However, SdpUpdate provokes an immediate call to setLocalDescription. If such a message is sent to the called device during a call, it will immediately start transmitting audio [even if the call was not actually answered], that is, it will allow the attacker to monitor the environment of the called subscriber.writes the researcher.

The specialist reported the problem to Facebook developers last month, and currently the vulnerability has already been fixed. On Twitter, Silvanovich said that for finding this error company has paid $60,000 through the bug bounty program, and the researcher will donate this money to the charity GiveWell, and Facebook, in turn, will double the donation amount.

Facebook generously awarded a bounty of $60,000 for this bug, which I’m donating to the GiveWell Maximum Impact Fund.wrote the researcher Natalie Silvanovich on her Twitter.

GiveWell is a nonprofit organization that measures the performance of charities and focuses on effective altruism.

Thus, this bug has become one of the highest paid vulnerabilities in the history of Facebook, and the company’s engineers note that the “cost” of a vulnerability in this case is directly proportional to its potential danger.

Let me remind you that Facebook expanded bug bounty program for third-party services.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply