The vulnerability existed in the Facebook Messenger Rooms video chat feature and exposed Android smartphone users to intrusion.
Nepalese security researcher Samip Aryal has identified a security vulnerability in the Facebook Messenger Rooms video chat feature that lets attackers access any user’s private Facebook photos and videos or submit posts on their behalf.
Astonishingly, this feat can be accomplished without unlocking Android phone, although physical access to the mobile phone or tablet will be necessary.
Arypal received a $3,000 bug bounty for identifying this vulnerability. This Facebook Messenger bug is quite similar to the vulnerability discovered in October 2020 that attackers could use to expose a user’s private/stored videos and view history through the Watch Together feature enabled during a Messenger call.
About the Vulnerability
A proof-of-concept video was submitted to Facebook along with the vulnerability report. It demonstrated how it is possible to compromise a user’s Facebook account by sending an invite to a Messenger Room, making a call, and answering the call from the target device prior to clicking on the chat function. This bug was patched at that time.
Aryal applied a similar hacking technique to the Messenger Rooms ‘room call’ feature and found out that the chat feature can be activated during a call without physically unlocking the targeted Android phone or tablet.
How Facebook Account can be Compromised
According to his blog post, the researcher logged into a Facebook account through a desktop PC and hosted a Messenger Room to exploit the bug. He then invited an account that was active on an Android device to join the chat.
After joining the room using the malicious account, the researcher called the victim’s device using the Invited Users feature, and within a few seconds, the screen-locked device started ringing.
He then picked up the call and tried other sensitive features such as ‘Watch Together,’ ‘Add People,’ etc., but required the phone to be unlocked. But he noticed a prompt to chat with other room attendees, which was located at the top right-hand corner of the call screen. Aryal could access all private photos and videos on that device without unlocking it and submit posts through the Edit option.
Facebook implemented a hotfix for this bug within one day, both from the client-side and the server-side, and patched it in other vulnerable versions of the Messenger.