Had it been exploited, this security flaw - now fixed - could have allowed attackers to initiate audio calls without the user's knowledge.
Facebook today fixed a major security flaw in its Messenger app for Android. It could have allowed attackers to make or connect to Messenger audio calls without the called party's knowledge or without interaction.
The vulnerability, which could have been abused to spy on Facebook users through their Android phones, was discovered during a security audit by Natalie Silvanovich, a researcher working for Google's Project Zero security team.
Secret call to spy
In a vulnerability report made public, the researcher explains that the security flaw was in the WebRTC protocol that the Messenger application uses to support audio and video calls.
Specifically, the problem was lodged in the Session Description Protocol (SDP), which is part of WebRTC. This protocol manages session data for WebRTC connections, and Natalie Silvanovich discovered that an SDP message could be abused to automatically approve WebRTC connections without user interaction.
"There is a type of message that is not used for the establishment of the call, SdpUpdate”, she explains. “If this message is sent to the called party's device while it is ringing, the audio will begin to flow immediately, and the attacker could then start spying on the called party's environment.”
The exploitation of the security flaw only takes seconds, according to Natalie Silvanovich's vulnerability report.
A bug rewarded
The researcher reported the issue to Facebook last month, and the social media giant corrected it this Thursday with an update to the Messenger app for Android.
"This report is one of the three highest bug bounties, with $ 60,000, which reflects its potential maximum impact," said Facebook.
On Twitter, Natalie Silvanovich said that Facebook awarded her a bonus of $ 60,000 for reporting the problem and that she chose to donate this amount to GiveWell, a non-profit organization that coordinates charitable activities.
In previous years, Natalie Silvanovich has seen and reported similar issues in other instant messaging applications, which are part of her areas of expertise.
In October 2018, the researcher found a security vulnerability in WhatsApp for Android and iOS that would have allowed attackers to take control of the app after a user answered a video call.
In July 2019, it also reported four non-interacting vulnerabilities in the iMessage app on iOS. The same month, she also discovered a fifth security flaw, still on iMessage, which could have been used to infiltrate iPhones.