Facebook Messenger bug allowed Android users to spy on each other

[tarekma7]

 

Facebook fixed a critical flaw in the Facebook Messenger for Android messaging app that allowed callers to listen to other users' surroundings without permission before the person on the other end picked up the call.

 

Facebook Messenger for Android has been installed on more than 1 billion Android devices according to the app's official Play Store page.

 

Attackers could have exploited this bug by sending a special type of message known as SdpUpdate which would cause the call to connect to the callee's device before it was answered.

 

"If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee's surroundings," explains Natalie Silvanovich, a researcher part of Google's Project Zero bug-hunting team.

 

"Normally, the callee does not transmit audio until the user has consented to accept the call, which is implemented by either not calling setLocalDescription until the callee has clicked the accept button, or setting the audio and video media descriptions in the local SDP to inactive and updating them when the user clicks the button (which strategy is used depends on how many endpoints the callee is logged into Facebook on)."

 

Reproducing the Messenger for Android issue

Silvanovich found the issue on version 284.0.0.16.119 of Facebook Messenger for Android last month. The researcher also provides Python-based proof-of-concept (PoC)  exploit code to reproduce the issue on Project Zero's bug tracker.

 

The full procedure for reproducing the now fixed issue involves making an audio call to the target device after running the PoC on the attacker's device.

 

After waiting a few seconds, the attacker can hear audio from the target's surroundings through their device's speakers.

 

To automatically connect the call, the PoC will go through the following steps:

 

Waits for the offer to be sent, and saves the sdpThrift field from the offer

Sends a SdpUpdate message with this sdpThift to the target

Sends a fake SdpAnswer message to the *attacker* so the device thinks the call has been answered and plays the incoming audio

Bug exploitable by attackers in the target's friends list

As per Facebook's explanation, this bug "could have allowed a sophisticated attacker logged in on Messenger for Android to simultaneously initiate a call and send an unintended message type to someone logged in on Messenger for Android and another Messenger client (i.e. web browser)."

 "It would then trigger a scenario where, while the device is ringing, the caller would begin receiving audio either until the person being called answers or the call times out.

"To exploit this issue, an attacker would have to already have the permissions to call this particular person bypassing certain eligibility checks (e.g. being friends on Facebook). They’d also need to use reverse engineering tools to manipulate their own Messenger application to force it to send a custom message."

 

After fixing the bug reported by Project Zero server-side, Facebook's security researchers applied additional protections across other apps that use the same protocol for 1:1 calling.

Bug awarded a $60,000 bug bounty

Facebook awarded Silvanovich with a $60,000 bounty for finding and disclosing this Messenger for Android bug.

 

"This report is among our three highest bug bounties at $60,000, which reflects its maximum potential impact," Dan Gurfinkel, Facebook's Security Engineering Manager, said earlier today.

 

The Project Zero researcher says that she will donate the entire sum to the GiveWell Maximum Impact Fund. Collin Greene, Product Security Manager at Facebook, later said that the company will match Silvanovich's donation to GiveWell for a total of $120,000.

 

Over 50,000 researchers joined Facebook's bug bounty program and roughly 6,900 of them were awarded a bounty after filing more than 130,000 vulnerability reports since 2011.

This year alone, Facebook says that over $1.98 million were awarded to researchers from more than 50 countries who reported over 1,000 vulnerabilities.

 

Update: Added info on Facebook's bug bounty program.

 

source