Facebook rooted a harmful bug that could have left millions of its Android Messenger users at risk of being spied. The users were on the verge of losing their privacy, just through a phone call.
All an attacker had to do was to send a bug text message named ‘SdpUpdate’ on the Messenger app. The bug linked the caller with callee’s phone, which provided access to the audio before callee answered the call.
This issue could have left millions of users vulnerable, and their private conversations leaked. However, Zuckerberg’s team took swift action and got it fixed on time.
On October 7, 2020, Google Project Zero’s security researcher Natalie Silvanovich first reported this security breach and identified the bug.
Natalie works on browser security, and her core focus remains on tackling security faults that can breach the user’s privacy. While mentioning the Messenger bug, she said:
“There is a message type that is not used for call set-up, SdpUpdate, that causes setLocalDescription to be called immediately.”
Natalie discovered that the bug, SdpUpdate, resided in Session Description Protocol (SDP) that is part of WebRTC. This automatically allowed the messenger protocol to access callee’s surroundings without them knowing.
Testing the bug
Natalie performed a test to reproduce the bug and dig a bit deeper into the issue. After activating a code through Python-based proof-of-concept (PoC), she successfully reproduced the glitch on Project Zero’s bug tracker.
The issue was spotted in Facebook Messenger’s Android version 2220.127.116.11.119. After drawing a simple python program and making an audio call, the attacker could access the audio of the targeted device.
In a little while, the attacker was able to hear audio from the target’s background.
The PoC steps that automatically connected the call to the target’s device are as follows:
- Send the offer and then store the sdpThrift field from the offer.
- After the offer is sent, a SdpUpdate message will approach the target using sdpThift.
- At last, a fake SdpAnswer message will be sent to the attacker, faking the target’s device to give access to its audio.
How did Facebook respond?
The social media giant did not take much time to hit back. They explained that the attacker would have already become friends with the user and eligible to call them to exploit this issue.
Facebook noted in their blogpost:
“They’d also need to use reverse engineering tools to manipulate their own Messenger application to force it to send a custom message,”
The company made a quick recovery and ensured further security; they followed up with a combination of manual code review and automated detection. The security researchers are looking after the app through additional protection.
As a gesture of gratitude, Facebook awarded Natalie with a bug bounty of $60,000 — which records the third-highest bug bounty award by the social giant this year. In 2020, the company has already given $1.98 billion in bug bounty rewards to security researchers.
Facebook paying handsome money for this bug to Google security researcher, Natalie, also hints how severe its potential impact could have been.