Vulnerabilities in Popular Instant Messengers Allowed Spying on Users

Vulnerabilities in many mobile applications for video communication allowed attackers to listen to the sounds around them without the user's permission even before he answered the phone.

Logical vulnerabilities in Signal, Google Duo, Facebook Messenger, JioChat and Mocha were discovered by Google Project Zero researcher Natalie Silvanovich and are currently being fixed. However, prior to the fix, they allowed attackers to force attacked devices to transmit audio to devices under their control without having to execute code.

“I studied the state machine signaling of seven video conferencing applications and found five vulnerabilities that allow the calling device to force the called device to transmit audio or video data. In theory, it is quite easy to ensure that the callee agrees to transmit audio or video - before adding any tracks to the peer-to-peer connection, you need to wait for the caller to accept the call. However, after studying real applications, I saw that they allowed data transfer in different ways. Most of them led to the emergence of vulnerabilities that allow you to connect calls without interacting with the callee, ”explained Silvanovich.

As the researcher found out, a vulnerability in Signal, fixed in September 2019, allowed audio calls to be connected by sending a message to the called device by the calling device without the participation of the caller, although it should be the other way around (to resolve the call, the called device must send a message to the caller).

A race condition vulnerability in Google Duo allowed a callee to send data packets to the caller before the caller answered the call. The issue was fixed in December 2020.

A Facebook Messenger vulnerability that allowed audio calls to be connected before the callee picks up the phone was patched in November 2020.

Two similar vulnerabilities were also discovered in JioChat and Mocha in July 2020. Bugs allowed sending audio to JioChat (fixed in July 2020) and audio / video to Mocha (fixed in August 2020) without the user's knowledge.

Silvanovich checked other instant messengers (including Telegram and Viber) for the presence of the above vulnerabilities in them, but found nothing.

A state machine or a finite automaton is a mathematical abstraction, a model of a discrete device that has one input, one output and at each moment of time is in one state out of many possible ones.

Previous Post Next Post