A Facebook Messenger bug discovered earlier this year was revealed this week by a security researcher. This bug worked with the Facebook Messenger call system, taking advantage of a loophole that let an attacker make a phone call and auto-answer said call on the receiver’s end. With this bug, an attacker could effectively listen to you through your phone without your knowledge.
Why is this an issue?
The bug allowed an attacker to call your phone with Facebook Messenger and force your phone to pick up said call without your input. Once the process was activated, the attacker could listen in on your conversations with impunity.
How did this happen?
Facebook Messenger sets up calls in WebRTC, slightly different from how a call is made with your phone’s normal phone app. Normally a set of checks are required for the caller and the receiver to connect. Ideally, the caller wouldn’t be able to connect to the receiver unless the receiver tapped a button to accept a call.
The security researcher “Natashenka” (N. Silvanovich) discovered a way to bypass the system that’s normally required to connect the call. The caller uses a special sort of message to force the receiver’s phone to connect audio.
Per the researcher’s note: “If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee’s surroundings.”
Should you worry?
It would appear that the latest version of Facebook Messenger has a fix for this issue. If you have the latest version of Facebook Messenger for your smartphone and/or tablet, you should be safe. As you’ll see below, Silvanovich donated the bug bounty for this bug to charity.
However, this is not the first time Facebook’s Messenger family has had issues in the recent past. Take a peek at the time Facebook Messenger Kids had a bug that allowed kids to chat with strangers, then it expanded. Drop in to our recent guide How secure is your messenger app? Things you should know and stay vigilant.