The bug existed in the Facebook Messenger app for Android.
The bigger an application, the more potential for it to contain vulnerabilities. The same goes for Facebook who is again in the news. In the latest, it has been found that there was a bug in its Messenger which could have enabled attackers to listen to users before they even picked up audio calls on the app.
As reported by a member of the Bug Hunting Team of Google’s Project Zero named Natalie Silvanovich, the bug was found initially on 6 October and was subsequently patched by Facebook.
How the vulnerability exactly worked was that an attacker could make an audio call to the recipient while sending a special message to them at the same time while they were “logged in on Messenger for Android and another Messenger client (i.e. web browser).”
This would result in the caller then being allowed to hear the recipient’s audio until they attended the call or the call “timed out.”
However, this would require the caller and the recipient to be Facebook friends as a pre-requisite for the call to be placed in the first place. Moreover, as Facebook states,
They’d also need to use reverse engineering tools to manipulate their own Messenger application to force it to send a custom message.
It is also important to remember that this message is no ordinary message and would require a detailed set-up elaborated on in Natalie’s post.
To conclude, this flaw was found in Messenger’s version 2126.96.36.199.119 and according to Facebook resulted in a reward of $60,000 as part of its bug bounty program. As it was patched almost within 8 weeks, this comes across as very responsible behavior on behalf of Facebook.