Researcher earns $3,000 bug bounty after compromising Facebook accounts on screen-locked devices
A security vulnerability in Facebook’s Messenger Rooms video chat feature meant attackers could access a victim’s private Facebook photos and videos, and submit posts, via their locked Android screen.
A user’s Facebook account could be compromised by inviting them to a Messenger Room, then calling, and answering the call from, the target device, before clicking on the chat function – as demonstrated by a proof-of-concept video sent to Facebook with the vulnerability report.
Despite requiring physical access to a victim’s device, the attack could be executed without unlocking a target smartphone or tablet and netted Nepalese security researcher Samip Aryal a $3,000 bug bounty.
Security bug sequel
Aryal’s latest find was inspired by a previous, similar Facebook Messenger vulnerability he unearthed in October 2020, whereby users’ private, saved videos and viewing history could be exposed via the Watch Together feature during a Messenger call.
RECOMMENDED SIP protocol abused to trigger XSS attacks via VoIP call monitoring software
Also exploitable by an attacker with physical access to a locked An ..
Support the originator by clicking the read the rest link below.
