A critical flaw in the Facebook Messenger messaging app for Android which allowed callers to listen to users’ surroundings without permission has been fixed by Facebook.
The bug allowed callers to eavesdrop on the person they were calling before the call was answered. In order to exploit the flaw, a caller would need to send a type of message known as SdpUpdate to the person they were calling, which would allow them to connect to the user’s device before the call was answered.
The flaw could be exploited if the message was sent to the callee’s device when it is ringing, causing audio to be instantly transmitted. Under normal circumstances, a user of the messaging app must provide permission before audio will be transmitted, which is provided when the call is answered.
The bug was discovered by Google Project Zero’s Natalie Silvanovich during a security audit of the Facebook Messenger app. The bug is present in the Session Description protocol (SDP) part of WebRTC, which handles session data for WebRTC connections. She discovered it was possible to exploit the bug by sending an SDP message, which would cause WebRTC connections to be automatically approved without any user interaction. It takes a few seconds from sending the message for the audio of the callee’s surroundings to be heard.
The flaw could only be exploited by an individual in the target’s Facebook friend list or who has otherwise been given permission to call an individual on Facebook Messenger. After exploiting the flaw, audio could only be heard for as long as the call is ringing. When the call times out, audio would no longer be received. In order to exploit the flaw, an individual would also have to manipulate their own Facebook Messenger app to send the SdpUpdate message.
Silvanovich reported the bug to Facebook last month and a patch was released to correct the flaw on November 19, 2020. Silvanovich was awarded a $60,000 bug bounty for identifying and reporting the bug to Facebook, indicating the severity of the flaw. The bug bounty is in the top three highest bug bounties paid by Facebook to researchers who have reported security flaws.
Silvanovich has dominated the bug bounty to the non-profit GiveWell. Facebook later issued a statement saying it would match her donation and would send $120,000 to the GiveWell Maximum Impact Fund.