Facebook Messenger Flaw Enabled Spying on Android Callees

A critical flaw in Facebook Messenger on Android would let someone start an audio or video call without the victims knowledge.

Facebook has patched a critical vulnerability in the Facebook Messenger for Android mobile app, which could have let attackers spy on other Facebook users using audio and video calls.
Natalie Silvanovich, the researcher with Googles Project Zero who discovered the bug, says it existed in Facebook Messengers implementation of a protocol called WebRTC, which the app uses to set up audio and video calls by exchanging thrift messages between callee and caller.
Normally, a person receiving a call doesnt send audio until the call is accepted, Silvanovich said in a write-up of her findings. This step is implemented by either not calling setLocalDescription until the callee has clicked accept, or by setting audio and video media description in the local Session Description Protocol (SDP) to inactive and updating them when the call is accepted.
However, she wrote, there is a message type called SdpUpdate, which is not used for call setup and will cause setLocalDescription to be called immediately. If this message is sent to someone while their phone is ringing, the callee would begin to transmit audio immediately and enable an attacker to listen to their surroundings. The callee would not have to answer their phone.
Silvanovich explains the steps of an attack in her report. In a separate
write-up
celebrating the 10th anniversary of its bug bounty program, Facebook noted an attacker would need to have certain permissions, such as already being Facebook friends, to call a victim. The attacker would also need to use reverse engineering tools to send a custom message from their Messenger app.
Facebook fixed the vulnerability with a server-side patch and says its researchers applied more protections for this issue across apps that use the same protocol for one-on-one calls. The flaw merited a bug bounty of $60,000, among the three highest bug bounties the company offers.
Read Silvanovichs Project Zero
bug report
for more details.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Facebook Messenger Flaw Enabled Spying on Android Callees