A New Facebook Bug Let Hackers Listen To You Before You Pick Up Messenger Call

Must Read

Apple Has Finally Found The Right Partners To Launch Apple Cars By 2025

Rumours of a possible Apple Car in the making has been doing rounds for quite some time. But so...

IT Job Seekers Rejoice: Infosys To Hire 24,000 People From India!

IT job seekers can rejoice as there's a massive opportunity headed their way. The news related to Jobs at...

Google’s Dirty Secret Has Left Android Users In Australia Stunned, Strikes Back!

After going head-to-head with Google to make the search giant agreeing to its Media Bargaining Code, Australia is now...

Despite all the claims and assurances, for one or some other reason, Facebook is far away from winning the trust of users.

Facebook recently patched a critical bug in the widely used Messenger app for Android, which could have let threat actors call unsuspecting users and start listening to them even before they picked up the call! 

Scary, isn’t it?

Advertisements

All thanks to Natalie Silvanovich, a member of Google’s Project Zero team, who reported the flaw to Facebook last month on October 6th. The bug, however, no longer exists as the Facebook team quickly take a note of it and patched the hole.

However, it’s unknown how many malicious hackers ended up discovering this vulnerability. It’s now believed that the issue is taken care of now before a wide-scale impact that could have affected 1.3 billion Messenger users that currently exist. 

The bug had the ability to grant an attacker logged into the app to call as well as send specifically crafted texts to a target who is signed via the Messenger app or the web browser.

Dan Gurfinkel, Facebook’s Security Engineering Manager, said that it would then trigger a scenario wherein the device that has been called would begin receiving audio even before the receipt of the call answered.

Silvanovich, after reporting the bug, in a blog post about the same, mentioned that the flaw was observed to be residing in WebRTC’s Session Description Protocol (SDP) which is a standard format for the exchange of media being streamed between two endpoints.

Advertisements

She further elaborated that the flaw would allow attackers to send a specially encoded message known as “SdpUpdate” which could then lead to them to call a target’s device that would connect it without the call being answered.

In a typical scenario, audio or video calls which are routed via WebRTC do not transmit audio until the recipient accepts it. But, in case the “SdpUpdate” message is sent to the target device while it is ringing, it would cause the device to start transmitting audio immediately which would then let the threat actor monitor the callee’s surroundings.

Now, if you are someone who keeps themselves updated with bug fix reports and other security-related news, you would notice that this vulnerability bears a stark resemblance to the one that was reported last year in Apple’s FaceTime group chats feature. 

The bug in FaceTime group chats made it possible for threat actors to start a video call and then eavesdrop on the recipients even before they accepted the incoming call. Back then, Apple quickly took note of the situation and first moved to remove the group chats feature before it fixed the same in their next iOS update.

That being said, the recent Facebook vulnerability was tougher to exploit than that of Apple’s, which popped up in 2019. In Facebook, the caller aka the threat actor would need to have been friends with the callee to have pulled it off. 

On top of that, the attack also required the threat actor to manipulate their own Messenger app by using reverse engineering tools so that they could send the custom “SdoUpdate” message. Thus, when it comes to ease of exploitation, Apple’s vulnerability definitely wins.

This is not the first time when Facebook or its family of apps are shaken with some serious bug in their system. Every year there are reports of various bugs in Facebook’s system that put hundreds of billions of users on risk of either losing their sensitive personal information or getting hacked.

All in all, for now, Facebook users can sleep better, knowing this potential threat is no longer active. The social media behemoth awarded Silvanovich a whopping $60,000 bug bounty for reporting the issue which is one of the three highest bug bounties paid out to date.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News

Facebook’s Secret Project With Spotify: To Redefine The Online Music Streaming Industry!

Spotify and Facebook have joined hand together to make sure you don’t miss out on listening to your favourite...

In-Depth: Dprime

Will ‘TikTok By Microsoft’ Be A Winner?

For the last two years, TikTok has been in the public eye for all sorts of reasons. First, it was the exploded and unparalleled...

Facebook Subscription Model: Looking Beyond Ad Dollars?

Seldom do job listings create a stir this gripping. However, when the job listing in question is a stealth post from Twitter, with a...

Will The Online Food Delivery Market in India End Up Becoming A Two-Horse Race?

It's pretty much evident that the food delivery space in India is all set to get riled up soon enough as one of the...

More Articles Like This