Facebook has patched a bug in its widely installed Messenger app for Android that could have allowed a remote attacker to call unsuspecting targets and listen to them before even they picked up the audio call.
The flaw was discovered and reported to Facebook by Natalie Silvanovich of Google’s Project Zero bug-hunting team last month on October 6 with a 90-day deadline, and impacts version 218.104.22.168.119 (and before) of Facebook Messenger for Android.
In a nutshell, the vulnerability could have granted an attacker who is logged into the app to simultaneously initiate a call and send a specially crafted message to a target who is signed in to both the app as well as another Messenger client such as the web browser.
“It would then trigger a scenario where, while the device is ringing, the caller would begin receiving audio either until the person being called answers or the call times out,” Facebook’s Security Engineering Manager Dan Gurfinkel said.
According to a technical write-up by Silvanovich, the flaw resides in WebRTC’s Session Description Protocol (SDP) — which defines a standardized format for the exchange of streaming media between two endpoints — allowing an…