go to sections menu

Facebook messenger gets updated for Android, serious bug nets 60k bounty from blog The Technology blog and podcast

This is for the technology blog and podcast Commentary, articles, and podcasts

header picture for Ingegno theme

You are here: article commentary > Facebook messenger gets updated for Android, serious bug nets 60k bounty

Go to Homepage, contents or to navigation menu



Facebook messenger gets updated for Android, serious bug nets 60k bounty

While I initially started reading this article this morning, I read the entire article now that we’ll be linking to.

According to Elizabeth Montalbano, an author at threatpost, she writes about the potential bug which was patched on November 19th.

Natalie Silvanovich is the researcher at Google Project Zero that reported this bug to Facebook, the company that runs messenger.

Natalie Silvanovich, a security researcher at
Google Project Zero, discovered the vulnerability, which she said existed in the app’s implementation of WebRTC, a protocol used to make audio and video calls by “exchanging
a series of thrift messages between the callee and caller,” she explained a
description posted online.

In a normal scenario, audio from the person making the call would not be transmitted until the person on the other end accepts the call. This is rendered
in the app by either not calling setLocalDescription until the person being called has clicked the “accept button,” or setting the audio and video media
descriptions in the local Session Description Protocol (SDP) to inactive and updating them when the user clicks the button, Silvanovich explained.

“However, there is a message type that is not used for call set-up, SdpUpdate, that causes setLocalDescription to be called immediately,” she explained.
“If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker
to monitor the callee’s surroundings.”

Silvanovich provided a step-by-step reproduction of the issue in her report. … however, an attacker would
already have to have permissions—i.e., be Facebook “friends” with the user–to call the person on the other end.

The last section is the most important thing to know, the two parties must have been facebook friends for this to work. We want these brave men and women to find these bugs before the bad guys can, and I’m glad this woman did. As Steve Gibson has said, one of the members may havingly found the idea while taking a shower. I know its probably a joke, but that may be when people can think, right? At least we know that the bug is fixed now.

Would you like to read more? No Problem! Facebook Messenger Bug Allows Spying on Android Users is the article, and I hope that people will read it. Its well worth learning about how this works and what happened.


Informazioni sull'articolo

Facebook messenger gets updated for Android, serious bug nets 60k bounty was released on November 22, 2020 at 1:15 pm by tech in article commentary.
Last modified: November 22, 2020.


Comments (0)

No comments yet.

Leave a comment

You must be logged in to post a comment.

go to sections menu


navigation menu

go to sections menu