The users were on the verge of losing their confidentiality, just through a from another perspective phone call. Facebook rooted a harmful bug could have left millions of itsthatAndroid Messenger users at danger of being spied.
All an attacker had to do was to send a bug text message named ‘SdpUpdate’ on the Messenger application. The issue linked the caller with callee’s phone, which provided access to the recording before callee answered the call.
This issue could have left millions of users vulnerable, and their private conversations leaked. Interestingly, However, Zuckerberg’s squad took action andswiftgot it fixed more than ever on time.
Indeed, On October 7, 2020, Google Project Zero’s security researcher Natalie Silvanovich first reported this security breach and identified theproblem .
Natalie works on browser security, and her core focus remains on tackling security faults that can breach the user’s confidentiality. Actually, While mentioning the Messenger glitch, she said:
“There is a message type that is not used for call set-up, SdpUpdate, that causes setLocalDescription to be called immediately.”
Natalie discovered that the glitch, SdpUpdate, resided in Session Description Protocol (SDP) that is part of WebRTC. This automatically allowed the messenger protocol to access callee’s surroundingswithout them knowing.
Testing the issue
After activating a code through Python-based proof-of-concept (PoC), she successfully reproduced the glitch on Project Zero’s bug tracker. Natalie performed a check to reproduce the issue and dig.a bit deeper into the issue
The issue was spotted in Facebook Messenger’s Android version 284.0.0.16.119. After a simple python program and making an recording call, the attacker coulddrawingaccess the voice of the targeted device.
a as a matter of fact little while, the attacker was able to hear recordingInfrom the target’s background.
The PoC steps that automatically connected the call to the target’s device are as follows:
- Send the offer and then store the sdpThrift field from the offer.
- After the offer is sent, a SdpUpdate message will approach the target using sdpThift.
- At last, a fake SdpAnswer message will be sent to the attacker, faking the target’s device to give access to its audio.
How did Facebook respond?
They explained that the the would have already become friends with attacker consumer and eligible to call them to exploit this issue. The social giant did not take much time tomediahit return.
Infact, Facebook noted in their blogpost:
“They’d also need to use reverse engineering tools to manipulate their own Messenger application to force it to send a custom message,”
The company made a quick recovery and ensured further security; they followed up with a combination of manual code review and automated detection. The security researchers are looking after the software through additional protection.
As a gesture of gratitude, Facebook awarded Natalie with a problem bounty of $60,000 — which records the third-highest glitch bounty award by the social giant this year. In 2020, the enterprise has already given $1.98 billion in problem bounty rewards to from another perspective security researchers.
Facebook paying handsome cash for this bug to Google security researcher, Natalie, also hints how severe its potential impact could have been.
