A New Facebook Bug Let Hackers Listen To You Before You Pick Up Messenger Call

Must Read

Trump Administration Has Landed Its Final Blow On Chinese Companies: Xiaomi Blacklisted!

In its recent move to safeguard national security, the United States’ Trump Administration has decided to go...

WhatsApp Might Lose 60 Million Indian Users Post Updated Policy Changes, New Survey Reveals!

The Facebook-owned instant messaging platform’s decision to update their privacy and terms of service brought about a...

Huawei Is Gunning For Acquiring A Fifth Of Android’s Userbase With Its Own HarmonyOS!

After Google’s ban on Huawei in 2019, the Chinese-origin tech company is all set to roll out...

Despite all the claims and assurances, for one or some other reason, Facebook is far away from winning the trust of users.

Facebook recently patched a critical bug in the widely used Messenger app for Android, which could have let threat actors call unsuspecting users and start listening to them even before they picked up the call! 

Scary, isn’t it?

Advertisements

All thanks to Natalie Silvanovich, a member of Google’s Project Zero team, who reported the flaw to Facebook last month on October 6th. The bug, however, no longer exists as the Facebook team quickly take a note of it and patched the hole.

However, it’s unknown how many malicious hackers ended up discovering this vulnerability. It’s now believed that the issue is taken care of now before a wide-scale impact that could have affected 1.3 billion Messenger users that currently exist. 

The bug had the ability to grant an attacker logged into the app to call as well as send specifically crafted texts to a target who is signed via the Messenger app or the web browser.

Dan Gurfinkel, Facebook’s Security Engineering Manager, said that it would then trigger a scenario wherein the device that has been called would begin receiving audio even before the receipt of the call answered.

Silvanovich, after reporting the bug, in a blog post about the same, mentioned that the flaw was observed to be residing in WebRTC’s Session Description Protocol (SDP) which is a standard format for the exchange of media being streamed between two endpoints.

Advertisements

She further elaborated that the flaw would allow attackers to send a specially encoded message known as “SdpUpdate” which could then lead to them to call a target’s device that would connect it without the call being answered.

In a typical scenario, audio or video calls which are routed via WebRTC do not transmit audio until the recipient accepts it. But, in case the “SdpUpdate” message is sent to the target device while it is ringing, it would cause the device to start transmitting audio immediately which would then let the threat actor monitor the callee’s surroundings.

Now, if you are someone who keeps themselves updated with bug fix reports and other security-related news, you would notice that this vulnerability bears a stark resemblance to the one that was reported last year in Apple’s FaceTime group chats feature. 

The bug in FaceTime group chats made it possible for threat actors to start a video call and then eavesdrop on the recipients even before they accepted the incoming call. Back then, Apple quickly took note of the situation and first moved to remove the group chats feature before it fixed the same in their next iOS update.

That being said, the recent Facebook vulnerability was tougher to exploit than that of Apple’s, which popped up in 2019. In Facebook, the caller aka the threat actor would need to have been friends with the callee to have pulled it off. 

On top of that, the attack also required the threat actor to manipulate their own Messenger app by using reverse engineering tools so that they could send the custom “SdoUpdate” message. Thus, when it comes to ease of exploitation, Apple’s vulnerability definitely wins.

This is not the first time when Facebook or its family of apps are shaken with some serious bug in their system. Every year there are reports of various bugs in Facebook’s system that put hundreds of billions of users on risk of either losing their sensitive personal information or getting hacked.

All in all, for now, Facebook users can sleep better, knowing this potential threat is no longer active. The social media behemoth awarded Silvanovich a whopping $60,000 bug bounty for reporting the issue which is one of the three highest bug bounties paid out to date.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News

Apple Foldable iPhone May Surprise You, But It Won’t Launch This Year!

Rumours of a foldable iPhone have long been circulating on the internet. However, until now there was...

Snapchat Spotlight: A New Way for Creators to Earn Money

Short-form video applications have increased overwhelmingly in popularity in recent times. The surge in this format of online content, according to most,...

COVID-19 Unemployment Leading To Ageing Indian Workforce, CMIE Reports

The latest data shared by the CMIE aka Centre for Monitoring Indian Economy has highlighted a huge red flag.

The Slip-Ups Keep On Coming: WhatsApp Web Users’ Mobile Data Leaked On Google

As the developments have unfolded over the past week, the clock for WhatsApp seems to be ticking with every passing minute and...

Trump Administration Has Landed Its Final Blow On Chinese Companies: Xiaomi Blacklisted!

In its recent move to safeguard national security, the United States’ Trump Administration has decided to go after China’s second-biggest smartphone marker...

Huawei Is Gunning For Acquiring A Fifth Of Android’s Userbase With Its Own HarmonyOS!

After Google’s ban on Huawei in 2019, the Chinese-origin tech company is all set to roll out HarmonyOS later in 2021 as...

In-Depth: Dprime

Will ‘TikTok By Microsoft’ Be A Winner?

For the last two years, TikTok has been in the public eye for all sorts of reasons. First, it was the exploded...

Facebook Subscription Model: Looking Beyond Ad Dollars?

Seldom do job listings create a stir this gripping. However, when the job listing in question is a stealth post from Twitter,...

Will The Online Food Delivery Market in India End Up Becoming A Two-Horse Race?

It's pretty much evident that the food delivery space in India is all set to get riled up soon enough as one...

More Articles Like This