Facebook Messenger bug allowed Android users to spy on each other

Bleeping Computer

Facebook fixed a critical flaw in the Facebook Messenger for Android messaging app that allowed callers to listen to other users’ surroundings without permission before the person on the other end picked up the call.

Facebook Messenger for Android has been installed on more than 1 billion Android devices according to the app’s official Play Store page.

Attackers could have exploited this bug by sending a special type of message known as SdpUpdate which would cause the call to connect to the callee’s device before it was answered.

If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee’s surroundings, explains┬áNatalie Silvanovich, a researcher part of Google’s Project Zero bug-hunting┬áteam.

Full article