Facebook has recently fixed a serious bug in their Messenger app that could allow spying on other users. Specifically, exploiting the bug could let a privileged adversary listen to the target users’ surroundings.
Facebook Messenger Bug Allowed Spying
Researcher from the Google Project Zero team has found a serious bug in Facebook Messenger app that allowed spying.
As detailed in a bug report, the researcher Natalie Silvanovich described that the bug existed in the WebRTC protocol that manages audio/video calls on Facebook Messenger.
As a standard, audio transmission on calls begins only after the callee answer an incoming call. Explaining this behavior, the researcher stated,
Normally, the callee does not transmit audio until the user has consented to accept the call, which is implemented by either not calling setLocalDescription until the callee has clicked the accept button, or setting the audio and video media descriptions in the local SDP to inactive and updating them when the user clicks the button (which strategy is used depends on how many endpoints the callee is logged into Facebook on).
However, due to the flaw, the caller could receive audio from the callee before the call gets answered or dropped.
To exploit the flaw, an attacker merely had to send a specific message to the callee at the same time while calling the target. The attacker would also face no issues regarding permissions given that the target would already know the attacker. For instance, if the attacker was a Facebook friend or someone already connected on Messenger.
There is a message type that is not used for call set-up, SdpUpdate, that causes setLocalDescription to be called immediately. If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee’s surroundings.
Though, it did require the target to be simultaneously signed-in to the Android and web versions of Facebook Messenger.
Facebook Patched The Flaw
Silvanovich discovered the bug in October 2020, after which, the researcher reported it to Facebook with a 90-day disclosure period.
However, given the critical nature of the flaw, Facebook acted quickly to fix the vulnerability. They patched it not only in Messenger, but across all other products supporting one-to-one calls with the same protocol.
Besides deploying the patch, Facebook also rewarded the researcher with a $60,000 bounty. While acknowledging the bug report in their post, Facebook confirmed that this vulnerability is among the top three highest bug bounties as well.