On Thursday, Facebook has patched a key security flaw in its Messenger for Android app that could have let attackers place and connect Messenger audio calls without the callee’s information or interaction.
The flaw, which could have been exploited to spy on Facebook users via their Android phones, was found during a security audit by Natalie Silvanovich, an investigator working for Google’s Project Zero security team.
Silvanovich said the bug existed in the WebRTC protocol that the Messenger app is using to support audio and video calls.
More precisely, Silvanovich said the issue rested in the Session Description Protocol (SDP), part of WebRTC, which handles session data for WebRTC connections.
“There is a message type that is not used for call set-up, SdpUpdate,” Silvanovich explained. “If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee’s surroundings.”
Per Silvanovich’s bug report, exploiting the bug takes a few seconds.
The Google investigator conveyed the issue to Facebook last month, and Face patched it Thursday in an update to its Messenger for Android app.
“This report is among our three highest bug bounties at $60,000, which reflects its maximum potential impact,” Facebook said today.
Previously, Silvanovich also found and reported similar problems in other instant messaging applications, one of her fields of expertise.