Despite all the claims and assurances, for one or some other reason, Facebook is far away from winning the trust of users.
Facebook recently patched a critical bug in the widely used Messenger app for Android, which could have let threat actors call unsuspecting users and start listening to them even before they picked up the call!
Scary, isn’t it?
All thanks to Natalie Silvanovich, a member of Google’s Project Zero team, who reported the flaw to Facebook last month on October 6th. The bug, however, no longer exists as the Facebook team quickly take a note of it and patched the hole.
However, it’s unknown how many malicious hackers ended up discovering this vulnerability. It’s now believed that the issue is taken care of now before a wide-scale impact that could have affected 1.3 billion Messenger users that currently exist.
The bug had the ability to grant an attacker logged into the app to call as well as send specifically crafted texts to a target who is signed via the Messenger app or the web browser.
Dan Gurfinkel, Facebook’s Security Engineering Manager, said that it would then trigger a scenario wherein the device that has been called would begin receiving audio even before the receipt of the call answered.
Silvanovich, after reporting the bug, in a blog post about the same, mentioned that the flaw was observed to be residing in WebRTC’s Session Description Protocol (SDP) which is a standard format for the exchange of media being streamed between two endpoints.
She further elaborated that the flaw would allow attackers to send a specially encoded message known as “SdpUpdate” which could then lead to them to call a target’s device that would connect it without the call being answered.
In a typical scenario, audio or video calls which are routed via WebRTC do not transmit audio until the recipient accepts it. But, in case the “SdpUpdate” message is sent to the target device while it is ringing, it would cause the device to start transmitting audio immediately which would then let the threat actor monitor the callee’s surroundings.
Now, if you are someone who keeps themselves updated with bug fix reports and other security-related news, you would notice that this vulnerability bears a stark resemblance to the one that was reported last year in Apple’s FaceTime group chats feature.
The bug in FaceTime group chats made it possible for threat actors to start a video call and then eavesdrop on the recipients even before they accepted the incoming call. Back then, Apple quickly took note of the situation and first moved to remove the group chats feature before it fixed the same in their next iOS update.
That being said, the recent Facebook vulnerability was tougher to exploit than that of Apple’s, which popped up in 2019. In Facebook, the caller aka the threat actor would need to have been friends with the callee to have pulled it off.
On top of that, the attack also required the threat actor to manipulate their own Messenger app by using reverse engineering tools so that they could send the custom “SdoUpdate” message. Thus, when it comes to ease of exploitation, Apple’s vulnerability definitely wins.
This is not the first time when Facebook or its family of apps are shaken with some serious bug in their system. Every year there are reports of various bugs in Facebook’s system that put hundreds of billions of users on risk of either losing their sensitive personal information or getting hacked.
All in all, for now, Facebook users can sleep better, knowing this potential threat is no longer active. The social media behemoth awarded Silvanovich a whopping $60,000 bug bounty for reporting the issue which is one of the three highest bug bounties paid out to date.
