Facebook Messenger bug allowed callers to listen unattended calls

Facebook Messenger bug allowed callers to listen unattended calls

The bug existed in the Facebook Messenger app for Android.


The bigger an application, the more potential for it to contain vulnerabilities. The same goes for Facebook who is again in the news. In the latest, it has been found that there was a bug in its Messenger which could have enabled attackers to listen to users before they even picked up audio calls on the app.


As reported by a member of the Bug Hunting Team of Google’s Project Zero named Natalie Silvanovich, the bug was found initially on 6 October and was subsequently patched by Facebook.


How the vulnerability exactly worked was that an attacker could make an audio call to the recipient while sending a special message to them at the same time while they were “logged in on Messenger for Android and another Messenger client (i.e. web browser).”



This would result in the caller then being allowed to hear the recipient’s audio until they attended the call or the call “timed out.”


See: Database exposed login data of 100k hacked Facebook accounts


However, this would require the caller and the recipient to be Facebook friends as a pre-requisite for the call to be placed in the first place. Moreover, as Facebook states,



They’d also need to use reverse engineering tools to manipulate their own Messenger application to force it to send a custom message.


..