Facebook has fixed a critical flaw in its appchangeof Facebook Messenger messages for Android, which allowed callers to listen to the environment of other users without permission, before the callee accepted the call !!.
Facebook Messenger for Android has been installed on more than 1 billion Android devices, according to official Play Store page of the application.
Attackers could have exploited this error, by sending a special type of message known as SdpUpdate, which would cause the call to connect to the called party's device before it was answered.
Such as explains Natalie Silvanovich"If this message is sent to the caller's device, it will start transmitting audio immediately while it is still ringing, which could allow an attacker to monitor the caller 's environment."
Normally, the recipient of the call does not transmit audio until it agrees to accept the call, which is implemented when it clicks the accept button. Now if all this time someone was calling you a little more persistently than normal, you should probably suspect it. Especially if it was your other half.
Silvanovich found the issue in version 284.0.0.16.119 του Facebook Messenger για Android τον περασμένο μήνα. Για να εκμεταλλευτεί αυτό το ζήτημα, ένας εισβολέας θα πρέπει να έχει ήδη τα δικαιώματα να καλέσει αυτό το συγκεκριμένο άτομο παρακάμπτοντας ορισμένους ελέγχους επιλεξιμότητας (π.χ. να είναι φίλοι στο Facebook). Θα πρέπει επίσης να γνωρίζει να χρησιμοποιεί tools reverse-engineered its own Messenger app to force it to send a custom message.
The Facebook awarded to Silvanovich a $ 60.000 donation to find and reveal this Messenger bug for Android.
This year alone, Facebook reports that more than $1,98 million was given to researchers by more than 50 countries which reported over 1.000 vulnerabilities.