Facebook has patched a critical vulnerability in the Facebook Messenger for Android mobile app, which could have let attackers spy on other Facebook users using audio and video calls.
Natalie Silvanovich, the researcher with Google's Project Zero who discovered the bug, says it existed in Facebook Messenger's implementation of a protocol called WebRTC, which the app uses to set up audio and video calls by exchanging "thrift messages" between callee and caller.
Normally, a person receiving a call doesn't send audio until the call is accepted, Silvanovich said in a write-up of her findings. This step is implemented by either not calling setLocalDescription until the callee has clicked accept, or by setting audio and video media description in the local Session Description Protocol (SDP) to inactive and updating them when the call is accepted.
However, she wrote, there is a message type called SdpUpdate, which is not used for call setup and will cause setLocalDescription to be called immediately. If this message is sent to someone while their phone is ringing, the callee would begin to transmit audio immediately and enable an attacker to listen to their surroundings. The callee would not have to answer their phone.
Silvanovich explains the steps of an attack in her report. In a separate write-up celebrating the 10th anniversary of its bug bounty program, Facebook noted an attacker would need to have certain permissions, such as already being Facebook friends, to call a victim. The attacker would also need to use reverse engineering tools to send a custom message from their Messenger app.
Facebook fixed the vulnerability with a server-side patch and says its researchers applied more protections for this issue across apps that use the same protocol for one-on-one calls. The flaw merited a bug bounty of $60,000, among the three highest bug bounties the company offers.
Read Silvanovich's Project Zero bug report for more details.