Facebook Messenger Bug Connected Audio Calls Without Approval

Do you have an Android, use Facebook Messenger often, and get calls regularly?

If yes, you might want to know that recently Facebook Messenger had a very unpleasant bug that allowed malicious users to connect audio calls without permission from the call recipient.

In simple words, because of this bug, the app enabled your microphone before you have accepted the call, which could allow the attacker to get a “sneak peak” on the comments you may have dropped before picking up the device.

While it did not make long-term surveillance a possibility and reportedly wasn’t used “in the wild” before being patched, Facebook Messenger users might want to know more about how this attack could be possible.

WebRTC Protocol At Fault Again

The bug was discovered in version 284.0.0.16.119 of Facebook Messenger for Android by Google’s Project Zero security researcher Natalie Silvanovich. More precisely, the Messenger issue was present in the Session Description Protocol (SDP), part of WebRTC.

In the past, Natalie reported on a similar issue in Signal, where the vulnerability also resided in the WebRTC protocol used to support audio and video calls. She also discovered a bug in WhatsApp for Android and iOS that allowed attackers to take over the app after a user answered a video call. 

The SDP control message could have been abused to approve WebRTC connections, tricking the app into thinking you have agreed to the call. Interestingly enough, the bug could not be exploited if you were logged out of Facebook in your browser at the call time. Also an attacker would have to be friends with the target on Facebook, to bypass calling eligibility checks.

Reportedly, the exploit took only a few seconds to be executed but wasn’t known to the attackers. Natalie reported the issue last month and got a $60,000 bug bounty as a reward. The funds were fully donated to charity activity GiveWell, with Facebook joining the good cause afterwards.

All is well that ends well, but even though this vulnerability wasn’t exploited widely, Messenger users should stay cautious. Other apps that use this protocol for one on one calling need to patch the bug, if they didn’t already.

More Popular Applications Could Be Exploited

Vulnerabilities in WebRTC can be exploited not only by the totalitarian governments who hunt down political activists, but also by little children against their classmates.

Group FaceTime once had a vulnerability where anyone could initiate a FaceTime call, add a person, and enter their own number to add themselves as a participant in a Group FaceTime call. This would lead to callee’s camera and microphone working before the call would be accepted.

Memory corruption vulnerabilities are common in WebRTC, and attackers often combine multiple bugs to overtake the targeted system completely. Hackers are on the constant look out for new vulnerabilities that could hurt users. While WebRTC integrators have a responsibility to protect their users, nobody is immune from bugs. It would make sense to avoid relying on obscure features, as we can never know if they were well-tested or how they will change tomorrow. 

WebRTC vulnerabilities carry a high risk because they affect both mobile and web applications. Among others, Signal, Duo, Zoom, WebEx, and Browser Facebook could be exploited through WebRTC.

So what can a regular person do to avoid the worst case scenario?

Update messengers whenever possible, and log out of Facebook when you don’t need it to cut down exposure risk. Remember, just this year Facebook has awarded researchers close to $2 millions in bug bounties.Perhaps it is time to make a switch?