Vulnerabilities in Signal, Google Duo and Facebook Messenger allowed spying on users

Vulnerabilities in Signal and Duo
Written by Emma Davis

Google Project Zero analyst Natalie Silvanovich discovered a number of serious vulnerabilities in Signal, Google Duo, Facebook Messenger, JioChat and Mocha messengers.

Because of these vulnerabilities, hackers could receive sound from a microphone and a picture from a device camera, and monitor what is happening around users (unbeknownst of the latter).

I found logic bugs that allow audio or video to be transmitted without user consent in five mobile applications including Signal, Duo and Facebook Messenger.writes Natalie Silvanovich in her Twitter.

By now all bugs have already been fixed.

Thus, a vulnerability in Signal, fixed back in September 2019, allowed making an audio call by sending a connection message from the calling device to the called device, and not vice versa. Moreover, this was done without user interaction.

A bug in Google Duo provoked a race condition, which made it possible to merge video packets from the called side, using missed calls for this. The vulnerability was fixed in December 2020.

We talked about the problem in Facebook Messenger for Android in detail in November 2020. The researcher received $60,000 for finding this bug. The problem allowed an attacker to make audio calls and connect to already active calls unbeknownst of the callers themselves.

Two similar vulnerabilities were found in the code of the JioChat and Mocha messengers. They also made it possible to eavesdrop on subscribers and spy on them. These vulnerabilities were closed in July-August 2020.

Silvanovich writes that she was looking for similar errors in other applications, including Telegram and Viber, but there were no such problems.

It is important to note that I have not studied any of the group calling functionality of these applications, and all the vulnerabilities found were found in peer-to-peer calls. [Group Challenges] is an area for future work where additional problems can be identified.the researcher emphasizes.

Moreover, Natalie Silvanovich noted that it is not clear why this is such a common problem, but a lack of awareness of these types of bugs as well as unnecessary complexity in signalling state machines is likely a factor.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply