Although patched now, if exploited, these vulnerabilities posed a major threat to user’s privacy and security.
Google Project Zero researcher Natalie Silvanovich disclosed vulnerabilities in several video conferencing and messaging applications that could allow malicious users and threat actors to eavesdrop without getting detected.
The vulnerabilities allowed attackers to listen to the surroundings of the person they called even before the call is picked up. It is worth noting that the details of this particular bug were also reported back on November 20th, 2020 in Facebook Messenger.
According to Silvanovich, these were logic bugs found in Google Duo, Signal, JioChat, Facebook Messenger, and Mocha messaging apps.
“I investigated the signaling state machines of seven video conferencing applications and found five vulnerabilities that could allow a caller device to force a callee device to transmit audio or video data,” Silvanovich wrote in a blog post.
Bugs Identified Back in 2019
As reported by Hackread.com, the vulnerabilities were discovered in January 2019 in Apple’s FaceTime group chat feature and allowed users to initiate a FaceTime video call and spy on targets by merely adding their number as a third person in a group chat before the person accepted the incoming call.
The vulnerability was extremely severe and Apple removed the group chat features from FaceTime until the issue was resolved in an iOS update. Later on, various similar bugs were discovered in the aforementioned chat apps.
About the Bugs
Silvanovich revealed that the vulnerability found in the Signal app was patched in Sep 2019. It allowed attackers to send the connect message from the caller device to the callee without any user interaction. It should actually be the other way around.
Conversely, the Google Duo bug was a race condition allowing the callees to leak unanswered calls video packets to the caller to connect the audio calls before it was answered. It was patched in Nov 2020.
Facebook Messenger’s bug could allow an attacker to initiate a call and send out a custom message to any target after logging in to the app. The target, however, should be signed in to both the Messenger client and the app, such as the web browser to receive audio from the callee’s device. This bug was also fixed in Nov 2020.
Two similar flaws were identified in Mocha and JioChat messengers. The bugs allowed sending JioChat audio and Mocha audio/video. Both were fixed in Jul 2020 and Aug 2020 respectively.
Interestingly, all these bugs were discovered in peer-to-peer calls and not in group chat features.
If you are using a messaging app make sure it is updated to the latest version as updates are meant to fix bugs and flaws that are unknown to unsuspecting users but a lucrative opportunity for malicious elements.