Facebook Messenger Bug on Android Allows Hackers to Spy on You
Table of Contents
- By Dawna M. Roberts
- Published: Nov 27, 2020
- Last Updated: Mar 18, 2022
The Hacker News reported this week that a Facebook Messenger Bug on Android allows hackers to listen in on calls and gather information for identity theft and fraud. The bug reportedly allowed hackers the ability to listen in ever before the call was picked up.
What Happened?
Natalie Silvanovich from Google’s Project Zero bug-hunting department found the bug last month on October 6th. She reported it to Facebook, which gave them a deadline of 90 days to fix it. The bug affects Facebook Messenger for Android version 284.0.0.16.119.
Facebook’s Security Engineering Manager, Dan Gurfinkel, explained it as “It would then trigger a scenario where, while the device is ringing, the caller would begin receiving audio either until the person being called answers or the call times out.”
The Technical Details
The Hacker News pulled the technical details from a write up from Silvanovich, which explained “the flaw resides in WebRTC’s Session Description Protocol (SDP) — which defines a standardized format for the exchange of streaming media between two endpoints — allowing an attacker to send a special type of message known as “SdpUpdate” that would cause the call to connect to the callee’s device before being answered.
Audio and video calls via WebRTC typically does not transmit audio until the recipient has clicked the accept button, but if this “SdpUpdate” message is sent to the other end device while it is ringing, “it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee’s surroundings.”
Alarmingly this issue is reminiscent of the Apple FaceTime group chat feature bug last year that made it possible for a third-party to add their number to a chat and eavesdrop on a call even before someone picked up the phone. Apple shut down the group chat feature until they fixed it in a future update.
She drafted a detailed write-up that included instructions to reproduce the issue:
“To reproduce this issue:
1) Log into Facebook Messenger on the attacker device
2) Log into Facebook Messenger on the target device. Also, log into Facebook in a browser on the same account. (This will guarantee call set-up uses the delayed calls to setLocalDescription strategy, this PoC doesn’t work with the other strategy)
3) install frida on the attacker device, and run Frida server
4) make a call to any device with the attacker device to load the RTC libraries so the can be hooked with Frida
5) unzip sdp_update, and locally in the folder, run:
python2 modifyout.py “attacker device name”
(to get a list of devices, run python2 modifyout.py)
6) make an audio call to the target device
In a few seconds, audio from the target devices can be heard through the speakers of the attacker device.
The PoC performs the following steps:
1) Waits for the offer to be sent, and saves the sdpThrift field from the offer
2) Sends an SdpUpdate message with this sdpThift to the target
3) Sends a fake SdpAnswer message to the *attacker* so the device thinks the call has been answered and plays the incoming audio
The python for the PoC was generated using fbthrift, the thrift file used for generation is attached.
This PoC was tested on version 284.0.0.16.119 of Facebook Messenger for Android.”
How Did Facebook Respond?
Silvanovich was awarded $60,000 for finding and reporting the bug. She has decided to donate the prize to a non-profit called GiveWell. Silvanovich is somewhat of a superstar when it comes to identifying bugs. She is credited with finding a trove of issues with JioChat, Signal, WhatsApp, WeChat, and iMessage.
This week Facebook patched the bug, and users can update to the latest version to fix the issue on Android devices.