A security researcher from Google’s Project Zero has found several vulnerabilities in most of the popular messaging apps, that would let attackers hear the target’s surroundings without his consent. The bugs were specified in the calling function of these apps, where a caller can hear the audio, and sometimes view the video, before the call was accepted.
Patched Bugs in Calling Functionality
Natalie Silvanovich, a security researcher from Google Project Zero has discovered various logic bugs in several instant messengers, that would let an attacker to snoop on the target. She spotted five bugs in seven video conferencing apps, that transmit the audio/video even before the callee accepts the call request.
I found logic bugs that allow audio or video to be transmitted without user consent in five mobile applications including Signal, Duo and Facebook Messenger https://t.co/PlB0PzLzjJ
— Natalie Silvanovich (@natashenka) January 19, 2021
This is concerning since the actual theoretical practice is the other way around. It’s like when the caller makes a call to his contact, he should only be getting the audio response from callee’s side only after the callee accepts the request. But, she observed that some apps are allowing the audio transmission to happen even before the callee accepts the call.
She had seen this flaw in apps like Signal, JioChat Facebook Messenger, Mocha, and even in their Google Duo! All of these bugs were spotted in 2020 and patched. This happens not only in terms of audio but also for video calling too in some apps. Google Duo and Mocha transferred video packets to the caller even before the callee accepted in.
She noted that “It is also concerning to note that I did not look at any group calling features of these applications, and all the vulnerabilities reported were found in peer-to-peer calls. This is an area for future work that could reveal additional problems.”
Talking about the most popular messenger today, WhatsApp, there’s a bug that would crash the app when the user accepts a call. This was patched through after reporting. She hadn’t found any of such bugs in Telegram and Viber.