Signal, Facebook and Google among apps open to eavesdropping
A researcher from Google's Project Zero team has revealed details of security vulnerabilities in widely used video chat apps, enabling bad actors to eavesdrop on the target's surroundings without their knowledge.
According to security engineer Natalie Silvanovich, the bugs existed in Signal, Google Duo and Facebook Messenger, as well as other apps mostly used in Asia. They allowed attackers to listen in on a call recipient without the target being alerted.
Each vendor has since patched the bugs - some faster than others.
"On January 29, 2019, a serious vulnerability was discovered in Group FaceTime which allowed an attacker to call a target and force the call to connect without user interaction from the target," Silvanovich wrote in a blog post.
"The bug was remarkable in both its impact and mechanism," she added.
The flaw was so serious that Apple removed the FaceTime group chats feature before it could address the issue in a subsequent iOS update.
Following the discovery of the FaceTime bug, Project Zero team investigated several other messaging apps and identified similar flaws affecting Signal, Facebook Messenger, Google Duo, JioChat (mostly used in India), and Mocha (prevalent in Vietnam).
No such issues were found in the Viber or Telegram apps, Silvanovich said, adding that significant reverse engineering challenges made Viber investigation "less rigorous" than the others.
Signal, which has recently seen a massive increased in its user base, patched the ..