It's been almost a decade since Facebook started offering researchers cash rewards for finding and disclosing vulnerabilities in the company's platforms. Those same 10 years have proved both the social network's popularity and serious pitfalls, as its privacy and misinformation-related failures have impacted geopolitics around the world. But the bug bounty program, at least, has consistently been a bright spot, this year paying out two of its three largest rewards ever—including $60,000 for a bug in Messenger that could have allowed an attacker to call you and start listening to your end before you picked up.
Discovered by Natalie Silvanovich of Google's Project Zero bug hunting team, the vulnerability, which is now patched, could have been exploited on Messenger for Android if an attacker simultaneously called a target and sent them a specially crafted, invisible message to trigger the attack. From there, the hacker would start hearing audio from the victim's end of the call, even if they didn't answer, for however long it rang. The bug bears some similarities to one Apple scrambled to patch last year in FaceTime group calls.
"What you would see is the attacker calling you and then the phone ringing and they could listen until you pick up or the call times out," says Dan Gurfinkel, Facebook's security engineering manager. "We quickly patched this before it was exploited."
The vulnerability would have been difficult to exploit in practice for a few reasons. It required that both th ..
Support the originator by clicking the read the rest link below.
