Facebook has fixed a critical flaw in its messaging app Facebook Messenger for Android, which allowed callers to listen to the environment of other users without permission, before the caller accepted the call !!.
Facebook Messenger for Android has been installed on more than 1 billion Android devices, according to official Play Store page of the application.
Attackers could have exploited this flaw by sending a special type of message known as SdpUpdate, which would cause the connection of call on the called party's device before answering.
Such as explains Natalie Silvanovich, a researcher in the program Project Google's Zero "If this message is sent to the called user's device, it will cause it to start streaming audio immediately while it is still ringing, which could allow an attacker to monitor the callee's environment."
Normally, the recipient of the call does not transmit audio until he consents to accept the call, which is accomplished when he click on the accept button. Now if all this time someone has been calling you a little more persistently than normal, you should probably be suspicious. Especially if it was your other half.
Silvanovich found the issue in Facebook Messenger version 284.0.0.16.119 for Android last month. To take advantage of this issue, an intruder should already have the right to call that person by bypassing certain eligibility checks (eg being Facebook friends). He should also be aware of using reverse engineering tools to operate his own Messenger application to force it to send a custom message.
The Facebook awarded to Silvanovich a $ 60.000 donation to find and reveal this Messenger bug for Android.
This year alone, Facebook reports that more than 1,98 millions dollars were given to researchers from more than 50 countries who reported over 1.000 vulnerabilities.