Facebook has patched a bug in its Messenger for Android client, which would have allowed an attacker to listen to the target’s surroundings even without his consent.
To exploit this, both parties have to be friends on Facebook already, and one should initiate a Messenger call to the other. He then sends a customized message to trigger the bug and listen to others before lifting the call.
Google Spots Facebook Messenger Bug
Natalie Silvanovich, a researcher from Google’s Project Zero, has discovered a critical bug in Facebook’s Messenger for Android, which would allow a malicious user to spy on his friend’s surroundings by listening through a Messenger call.
Technical details of the Facebook calling bughttps://t.co/wwL9gedW8c
— Natalie Silvanovich (@natashenka) November 19, 2020
Exploiting the bug needs the attacker to be a friend of the target on Facebook already and should start a Messenger call. It requires the attacker to send a customized message called SdpUpdate, which allows him to listen to sounds from the target surroundings, even before he accepts the call.
Silvanovich explained as “the callee does not transmit audio until the user has consented to accept the call, which is implemented by either not calling setLocalDescription until the callee has clicked the accept button, or setting the audio and video media descriptions in the local SDP to inactive and updating them when the user clicks the button.”
This issue was found in Facebook Messenger v284.0.0.16.119, which is now patched by Facebook from a server-side update. There’s even a Python-based proof-of-concept exploit code set out by researchers to reproduce Project Zero’s bug tracker scenario.
As described by the researcher, the PoC code goes through the following steps to exploit the bug;
- Waits for the offer to be sent and saves the sdpThrift field from the offer
- Sends a SdpUpdate message with this sdpThift to the target
- Sends a fake SdpAnswer message to the *attacker* so the device thinks the call has been answered and plays the incoming audio.
Facebook explained that the attacker intended to perform this should already be a friend of the target and reverse engineer his Messenger to configure his device to fool the target’s device.
It rewarded the researcher with a $60,000 bounty, since “it reflects its maximum potential impact,” said Dan Gurfinkel, Facebook’s Security Engineering Manager.
