A New Facebook Bug Let Hackers Listen To You Before You Pick Up Messenger Call

Must Read

Elon Musk Added Over $100 Billion To His Net Worth In Just 1 Year, Leaves Jeff Bezos Behind

Jeff Bezos may the world's richest person in the world but it's Elon Musk who has been...

iPhone 12 Plagued With Serious Problems: Should You Buy It, Still?

A serious problem with Apple iPhone 12, identified recently, is good enough to give a second thought...

Elon Musk Overtakes Bill Gates And Becomes the 2nd Richest Person in the World

It's been a good week for Elon Musk and his electrical vehicle business Tesla. Earlier this week,...

Despite all the claims and assurances, for one or some other reason, Facebook is far away from winning the trust of users.

Facebook recently patched a critical bug in the widely used Messenger app for Android, which could have let threat actors call unsuspecting users and start listening to them even before they picked up the call! 

Scary, isn’t it?


All thanks to Natalie Silvanovich, a member of Google’s Project Zero team, who reported the flaw to Facebook last month on October 6th. The bug, however, no longer exists as the Facebook team quickly take a note of it and patched the hole.

However, it’s unknown how many malicious hackers ended up discovering this vulnerability. It’s now believed that the issue is taken care of now before a wide-scale impact that could have affected 1.3 billion Messenger users that currently exist. 

The bug had the ability to grant an attacker logged into the app to call as well as send specifically crafted texts to a target who is signed via the Messenger app or the web browser.

Dan Gurfinkel, Facebook’s Security Engineering Manager, said that it would then trigger a scenario wherein the device that has been called would begin receiving audio even before the receipt of the call answered.

Silvanovich, after reporting the bug, in a blog post about the same, mentioned that the flaw was observed to be residing in WebRTC’s Session Description Protocol (SDP) which is a standard format for the exchange of media being streamed between two endpoints.


She further elaborated that the flaw would allow attackers to send a specially encoded message known as “SdpUpdate” which could then lead to them to call a target’s device that would connect it without the call being answered.

In a typical scenario, audio or video calls which are routed via WebRTC do not transmit audio until the recipient accepts it. But, in case the “SdpUpdate” message is sent to the target device while it is ringing, it would cause the device to start transmitting audio immediately which would then let the threat actor monitor the callee’s surroundings.

Now, if you are someone who keeps themselves updated with bug fix reports and other security-related news, you would notice that this vulnerability bears a stark resemblance to the one that was reported last year in Apple’s FaceTime group chats feature. 

The bug in FaceTime group chats made it possible for threat actors to start a video call and then eavesdrop on the recipients even before they accepted the incoming call. Back then, Apple quickly took note of the situation and first moved to remove the group chats feature before it fixed the same in their next iOS update.

That being said, the recent Facebook vulnerability was tougher to exploit than that of Apple’s, which popped up in 2019. In Facebook, the caller aka the threat actor would need to have been friends with the callee to have pulled it off. 

On top of that, the attack also required the threat actor to manipulate their own Messenger app by using reverse engineering tools so that they could send the custom “SdoUpdate” message. Thus, when it comes to ease of exploitation, Apple’s vulnerability definitely wins.

This is not the first time when Facebook or its family of apps are shaken with some serious bug in their system. Every year there are reports of various bugs in Facebook’s system that put hundreds of billions of users on risk of either losing their sensitive personal information or getting hacked.

All in all, for now, Facebook users can sleep better, knowing this potential threat is no longer active. The social media behemoth awarded Silvanovich a whopping $60,000 bug bounty for reporting the issue which is one of the three highest bug bounties paid out to date.


Please enter your comment!
Please enter your name here

Latest News

Backed By First-Time Shoppers, Flipkart And Amazon Dominated Festive Online Sales in India

It seems like Flipkart and Amazon squeezed the most out of the month-long festive season in India...

Amazon Gets Slapped With Penalty As GOI Prepares To Tighten The Noose On Ecommerce Players!

In a recent move, the Indian Government slapped Amazon on its wrist for not mentioning the country of origin detail for products...

Facebook’s Past Comes Back To Bite As South Korea Fines Them For 2018 Scandal

The social media behemoth Facebook Inc. (NASDAQ:FB) has once again proved they are the true arch-nemesis of modern-day user-privacy!

Amazon Future Group Dispute Deepens As Singapore Court Turns Down Future Group Plea

The dispute between Amazon and Future Retail is, apparently, far from over anything soon as the Singapore International Arbitration Centre (SIAC) has...

Google Pay Fee On Instant Transfer: An Indication Of Google’s Aggressive Monetisation Strategy?

Google has decided to levy fee on instant payment, starting from the US market. A few days back, Google...

Twitter Account Verification Is Back, But Has it Lost Its Mojo?

Twitterati queue up! As the Twitter account verification process which is responsible for awarding blue badges prepares to...

In-Depth: Dprime

Will ‘TikTok By Microsoft’ Be A Winner?

For the last two years, TikTok has been in the public eye for all sorts of reasons. First, it was the exploded...

Facebook Subscription Model: Looking Beyond Ad Dollars?

Seldom do job listings create a stir this gripping. However, when the job listing in question is a stealth post from Twitter,...

Will The Online Food Delivery Market in India End Up Becoming A Two-Horse Race?

It's pretty much evident that the food delivery space in India is all set to get riled up soon enough as one...

More Articles Like This