Facebook Messenger bug gave access to hackers before users picked up the call, now fixed

Facebook Messenger for Android had a bug that would let hackers call users and listen to them even before they picked up the call. The bug in Messenger attracted $60,000 from Facebook's bug bounty programme which has been in place for the past decade. It was discovered by Natalie Silvanovich of Google's Project Zero bug-hunting team. Silvanovich, who has been researching other video applications noted that so far four bugs have been fixed as a result in Signal, Mocha, JioChat, as well as Facebook Messenger.

The bug in Facebook Messenger for Android app has now been fixed. According to Wired, the vulnerability was difficult to exploit as it required that both the attacker and target be logged into Facebook for Android. It also required the victim to be logged into Messenger in a web browser or some other way. The caller and recipient would also need to be Facebook friends. Moreover, They would also require to use reverse engineering tools to manipulate their own Messenger application to force it to send a custom message.

"What you would see is the attacker calling you and then the phone ringing and they could listen until you pick up or the call times out," Dan Gurfinkel, Facebook's security engineering manager said in a blog post. "We quickly patched this before it was exploited."

Facebook confirmed that the vulnerability had never been exploited because no logs contained evidence of the strategic protocol messages attackers would need to send. As per reports, Facebook adjusted its own server-side infrastructure to instantly fix the flaw for all users rather than issuing a patch for the mobile app.

The Facebook Messenger bug was similar to the Facetime bug discovered by a 14-year old last year that let hackers call the victim and listen to the users surrounding even before they picked up the call. The Apple Group FaceTime feature had a bug that enabled iPhone users using the feature to call their friends to listen in on their conversations even if their call had not been picked up. Apple soon followed through with a software fix for the bug. However, reports note the Messenger calls would be difficult to exploit because of the caveat of the caller and the callee being Facebook friends.

Earlier this year Facebook rolled out Messenger rooms for up to 50 participants. However, Facebook in one of its support pages noted that Rooms is not end-to-end encrypted.

"Rooms is built on Messenger, so it uses the same technology to encrypt a video and audio conversation between people as it travels from their devices to our servers that we have placed in only a handful of countries that have strong rule of law. Rooms are not end-to-end encrypted. While there are significant challenges to providing end-to-end encryption for video calling with large groups of people, we're actively working toward this for Messenger and Rooms," Facebook noted.