A bug has been found on Facebook Messenger that allows users to be tapped before they even answered the call. The company does not know how many hackers have taken advantage of this vulnerability.
Facebook had fixed a bug in the Messenger app for Android that allowed a remote attacker to call and listen to any users before they even answered the call. This bug was discovered by researcher Natalia Silvanovich from the Google Project Zero team.
The vulnerability could give an attacker logged into the application to simultaneously call and send a special message to the target. This provoked a scenario in which the caller would gain access to the microphone until the caller answered or timed out.
Facebook security manager Dan Gurfinkel noted that they’ve already fixed the bug. However, they have no data on how many hackers took advantage of the vulnerability.
According to Silvanovich’s technical note, the flaw was in WebRTC’s Session Description Protocol (SDP), which defines a standardized format for exchanging streaming media between two endpoints. It allows an attacker to send a special type of message known as SdpUpdate, which will trigger a connection to the caller’s device before answering the call.
The vulnerability has been compared to a bug found in Apple’s FaceTime group chats last year. It allowed users to initiate a FaceTime video call and eavesdrop on their interlocutors. The company noted that they had fixed this error.