Tamagotchi hacker, Natalie Silvanovich, who works as a Security Engineer on Prjoect Zero at Google recently received a bounty of $60,000 for identifying a bug in Facebook Messenger which allows a call to connected much before the callee has answered the call. The bug seems to exist on the Android Facebook messenger app only.
Facebook Messenger sets up audio and video calls in WebRTC by exchanging a series of thrift messages between the callee and caller. WebRTC is a free, open-source project that provides web browsers and mobile applications with real-time communication via simple application programming interfaces.
Usually in an audio call, audio is transmitted only when the callee has attended the call. However, there is an instance when the call transmitting audio even before the recipient of the call can accept the call. This allows any miscreant to monitor the victim’s surroundings.
Facebook generously awarded a bounty of $60,000 for this bug, which I’m donating to the @GiveWell Maximum Impact Fund https://t.co/JvZt9Fw4nx
— Natalie Silvanovich (@natashenka) November 19, 2020
Surprised? So are we!! Let’s have a look at how this can be re-created.
1) Log into Facebook Messenger on the attacker device
2) Log into Facebook Messenger on the target device. Also log into Facebook in a browser on the same account. (This will guarantee call set-up uses the delayed calls to setLocalDescription strategy, this PoC doesn’t work with the other strategy)
3) install frida on the attacker device, and run Frida server
4) make a call to any device with the attacker device to load the RTC libraries so the can be hooked with Frida
5) unzip sdp_update, and locally in the folder, run:
python2 modifyout(.)py “attacker device name”
(to get a list of devices, run python2 modifyout(.)py
6) make an audio call to the target device
In a few seconds, audio from the target devices can be heard through the speakers of the attacker device.
The PoC performs the following steps:
1) Waits for the offer to be sent, and saves the sdpThrift field from the offer
2) Sends an SdpUpdate message with this sdpThift to the target
3) Sends a fake SdpAnswer message to the *attacker* so the device thinks the call has been answered and plays the incoming audio
Unusual? Yes!
Common? More than you think
In early 2019, Apple’s Facetime had a similar bug whereby you could listen to the listen in on someone, even if they have not picked the call.
The smartphone may really be much smarter than we can imagine.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
Also Read
Facebook Taken Down Number of Political ads due to Technical Flaws in their System
Facebook Hacking made Easy and Convenient with Numerous Hacking Apps
