Facebook has patched a critical vulnerability in the Facebook Messenger app for Android. Its operation allowed callers, without permission, to listen to the surroundings of other users before the caller on the other end answered the call.
Attackers could exploit this issue by sending a special type of message, known as SdpUpdate, that would cause the call to connect to the callee’s device before being answered.
“If this message is sent to the called device during a call, it immediately starts transmitting audio, which allows an attacker to eavesdrop on the callee’s surroundings, ” Natalie Silvanovich of Google Project Zero explained .
The issue was discovered in the Android version of Facebook Messenger 284.0.0.16.119 last month. Silvanovic also provided Python-based PoC code for exploiting the vulnerability to reproduce the issue in the Project Zero bug tracking system.
For automatic call connection, the PoC code for exploiting the vulnerability includes the following steps:
- Waiting for the proposal to be sent and saving the sdpThrift field from the proposal
- Send SdpUpdate message with sdpThift target
- Sending a fake SdpAnswer message to an attacker to make the device think the call was answered and play the incoming sound.
“To take advantage of this issue, an attacker must already have permission to call a specific person, bypassing certain compliance checks (for example, Facebook friendship). He will also need to use reverse engineering tools to manipulate his Messenger application and make it send a custom message, ”Silvanovic explained.