Facebook has fixed a security bug in its Messenger for Android app that could have allowed attackers to place and connect Messenger audio calls without the callee's knowledge or interaction.
The vulnerability, which could have been abused to spy on Facebook users via their Android phones, was found during a security audit by Natalie Silvanovich, a researcher working for Google's Project Zero security team.
In a bug report made public today, Silvanovich said the bug resided in the WebRTC protocol that the Messenger app is using to support audio and video calls.
More specifically, Silvanovich said the problem resided in the Session Description Protocol (SDP), part of WebRTC. This protocol handles session data for WebRTC connections, and Silvanovich discovered that an SDP message could be abused to auto-approve WebRTC connections without user interaction.
"There is a message type that is not used for call set-up, SdpUpdate," Silvanovich explained. "If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee's surroundings."
Exploiting the bug takes a few seconds, according to Silvanovich's bug report.
The Google researcher reported the issue to Facebook last month, and the social media giant patched it via a server-side update to its Messenger service.
In a Twitter message, Silvanovich said Facebook awarded her a $60,000 bug bounty for reporting the issue, which the Google researcher chose to donate to the GiveWell, a non-profit that coordinates charity activities for maximum funds usage.
"This report is among our three highest bug bounties at $60,000, which reflects its maximum potential impact," Facebook said today, which also made an equal donation of its own to GiveWell.
In previous years, Silvanovich also found and reported similar issues in other instant messaging applications, one of her areas of expertise.
In October 2018, she found a bug in WhatsApp for Android and iOS that would have allowed attackers to take over the app after a user answered a video call.