Google Project Zero analyst Natalie Silvanovich discovered a number of serious vulnerabilities in Signal, Google Duo, Facebook Messenger, JioChat and Mocha messengers.
Because of these vulnerabilities, hackers could receive sound from a microphone and a picture from a device camera, and monitor what is happening around users (unbeknownst of the latter).By now all bugs have already been fixed.
Thus, a vulnerability in Signal, fixed back in September 2019, allowed making an audio call by sending a connection message from the calling device to the called device, and not vice versa. Moreover, this was done without user interaction.
A bug in Google Duo provoked a race condition, which made it possible to merge video packets from the called side, using missed calls for this. The vulnerability was fixed in December 2020.
We talked about the problem in Facebook Messenger for Android in detail in November 2020. The researcher received $60,000 for finding this bug. The problem allowed an attacker to make audio calls and connect to already active calls unbeknownst of the callers themselves.
Two similar vulnerabilities were found in the code of the JioChat and Mocha messengers. They also made it possible to eavesdrop on subscribers and spy on them. These vulnerabilities were closed in July-August 2020.
Silvanovich writes that she was looking for similar errors in other applications, including Telegram and Viber, but there were no such problems.
Moreover, Natalie Silvanovich noted that it is not clear why this is such a common problem, but a lack of awareness of these types of bugs as well as unnecessary complexity in signalling state machines is likely a factor.