Facebook has fixed a major security bug today in its Messenger for Android app that could have allowed attackers to place and connect Messenger audio calls without the callee’s knowledge or interaction.
The vulnerability, which could have been abused to spy on Facebook users via their Android phones, was found during a security audit by Natalie Silvanovich, a researcher working for Google’s Project Zero security team.
In a bug report made public today, Silvanovich said the bug resided in the WebRTC protocol that the Messenger app is using to support audio and video calls.
More specifically, Silvanovich said the problem resided in the Session Description Protocol (SDP), part of WebRTC. This protocol handles session data for WebRTC connections, and Silvanovich discovered that an SDP message could be abused to auto-approve WebRTC connections without user interaction.
“There is a message type that is not used for call set-up, SdpUpdate,” Silvanovich explained. “If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee’s surroundings.”
Exploiting the bug takes a few seconds, according to Silvanovich’s bug report.
The Google researcher reported the issue to Facebook last month, and the social media giant patched it today in an update to its Messenger for Android app.
“This report is among our three highest bug bounties at $60,000, which reflects its maximum potential impact,” Facebook said today.
In a Twitter message, Silvanovich said Facebook awarded her a $60,000 bug bounty for reporting the issue, which the Google researcher chose to donate to the GiveWell, a non-profit that coordinates charity activities for maximum funds usage.
In previous years, Silvanovich also found and reported similar issues in other instant messaging applications, one of her areas of expertise.
In October 2018, she found a bug in WhatsApp for Android and iOS that would have allowed attackers to take over the app after a user answered a video call.
In July 2019, Silvanovich found four interactionless bugs in the iOS iMessage app. In the same month, she also discovered a fifth iMessage bug that could have been used to brick iPhones.