Facebook Messenger for Android had a bug that allowed hackers to call users and listen to them even before they answered the call. The bug in Messenger attracted $ 60,000 from the Facebook bug bounty program that has been up and running for the past decade. It was discovered by Natalie Silvanovich of Google’s Project Zero bug search team. Silvanovich, who has been researching other video apps, noted that four bugs have been fixed as a result so far in Signal, Mocha, JioChat, and Facebook Messenger.
The bug in the Facebook Messenger app for Android has now been fixed. According to Wired, the vulnerability was difficult to exploit as it required both the attacker and the target to be connected to Facebook for Android. It also required the victim to log into Messenger in a web browser or some other way. The caller and recipient must also be Facebook friends. Furthermore, they would also need to use reverse engineering tools to manipulate their own Messenger application to force it to send a personalized message.
“What you would see is that the attacker calls you and then the phone rings and they can listen until you answer or the call times out,” Dan Gurfinkel, Facebook’s security engineering manager, said in a blog post. “We quickly fixed this before it was exploited.”
Facebook confirmed that the vulnerability had never been exploited because no logs contained evidence of the strategic protocol messages that the attackers would need to send. Facebook reportedly adjusted its own server-side infrastructure to instantly fix the flaw for all users instead of issuing a patch for the mobile app.
The Facebook Messenger bug was similar to the Facetime bug discovered by a 14-year-old young man last year that allowed hackers to call the victim and listen to the users around them even before they answered the call. The Apple Group FaceTime feature had a bug that allowed iPhone users to use the feature to call their friends to listen to their conversations even if their call had not been answered. Apple soon went ahead with a software fix for the bug. However, reports point out that Messenger calls would be difficult to exploit because the caller and the caller are Facebook friends.
Earlier this year, Facebook launched Messenger rooms for up to 50 participants. However, Facebook on one of its support pages noted that Rooms is not end-to-end encrypted.
“Rooms is based on Messenger, so it uses the same technology to encrypt an audio and video conversation between people as it travels from their devices to our servers that we have placed in only a handful of countries that have a strong rule of law. No end-to-end encryption. While there are significant challenges in providing end-to-end encryption for video calls with large groups of people, we are actively working to achieve this in Messenger and Rooms, “Facebook noted.