In the last few months, many bigs have been reported on platforms like Instagram, Microsoft, and Facebook that could have led to a serious data breach and privacy issues for the users, but we’re already resolved when detected by a team of digital researchers. A new bug has now been announced in Facebook Messenger which could have allowed callers to connect audio calls without the callee’s knowledge or approval. The bug was found in the Messenger app on the Android platform but has already been fixed by Facebook.
The vulnerability was initially found during a security audit by Natalie Silvanovich, a researcher working for Google’s Project Zero security team. The bug report has been made public today and it mentions that the bug resides in the WebRTC protocol which is used by the Messenger app to support audio and video calls. Silvanovich, who is part of the research team mentioned that the problem resided in the Session Description Protocol (SDP), part of WebRTC. It handles session data for WebRTC connections, and Silvanovich discovered that an SDP message could be abused to auto-approve WebRTC connections without user interaction.
The details regarding the bug were reported to Facebook last month by the same team of researchers and it was patched by Facebook immediately through a patch sent through a server-side update to Messenger service. Facebook also awarded them a $60,000 bug bounty for reporting the issue which was donated to GiveWell by Google researchers, which is a non-profit coordinator for charity activities. As per the official statement from Facebook, “This report is among our three highest bug bounties at $60,000, which reflects its maximum potential impact.”