Google's Project Zero bug-hunting team member, Natalie Silvanovich, discovered a bug in Facebook Messenger that could have allowed remote attackers to intercept the voice calls of unsuspecting targets and listen to them even before they picked up the call.
While the flaw was reported to Facebook on October 6 and having fulfilled the mandatory 90-day deadline, is now made public as it impacts Messenger version 2188.8.131.52.119 (and later) for Android.
The Messenger bug could have allowed an attacker to simultaneously initiate a call and send a maliciously crafted message to a target who is signed-in to both the app and other Messenger client such as the web browser.
How the Messenger Bug could allow Hackers intercept Voice Calls before Pick Up?
The Messenger bug resides in WebRTC's Session Description Protocol (SDP), which is a standardized format for the exchange of streaming media between two endpoints, thus allowing an attacker to send a specially crafted message known as "SdpUpdate" that could cause the voice call to connect to the called user's device before being answered.
It would then trigger a scenario where, as the device is ringing, the caller would begin to get the audio until the person called answers or the call eventually times out.
As audio and video calls through WebRTC are typically not transmitted with audio until the recipient clicks the accept button, but if the "SdpUpdate" message is sent to the device on the other end while it is ringing, it will result to transmitting audio immediately, and could allow an attacker to spy the called user's environment.
It is quite similar to the Apple's FaceTime bug that made it possible for users to initiate a FaceTime video call and eavesdrop on targets by simply adding their number as a third person in a group chat before even the person on the other end has accepted the incoming call.
Albeit, in the case of the Messenger bug, the caller would need to already have the permissions to call the specific person, that is, the caller and the called would have to be friends on Facebook to pull it off.
How to Mitigate against the Messenger Bug?
The Messenger bug was promptly reported to Facebook and Facebook has subsequently patched the bug, awarding to Silvanovich a $60,000 bug bounty for reporting the issue, which amount is among Facebook's three highest bug bounties to date, and the Google researcher pledges to donate the bounty to a non-profit named GiveWell.
Therefore, it is highly recommended that all Facebook Messenger users should update their Messenger app installed on Android to the latest version to mitigate the flaws.