Due to a previously undiscovered security gap in Facebook Messenger, it was theoretically possible to intercept users via voice calls that they did not make themselves.
A serious security gap has now become known in the Android version of the messenger. Apparently hackers were able to eavesdrop on users by calling them unnoticed. Facebook now wants to fix the problem with an update.
Problems with Messenger became apparent in real-time communication
IT magazine golem, the story did n't come out through Facebook itself, but thanks to Natalie Silvanovich. The security researcher at Google's Project Zero discovered the vulnerability in Messenger and pointed it out to Facebook. She noticed that the gap was in the implementation of the WebRTC connection.
WebRTC means real-time communication options, such as access to the camera or microphone, but also video calls or screen sharing. According to the provider, the open source project is available for all common browsers and can also be used for smaller apps.
[mk_ad]
But there was a problem here, as Silvanovich discovered. With a WebRTC connection, the call can also begin with an SDP message ( Session Description Protocol) , without the person being called having to interact in the messenger.
the internet magazine zdnet, Silvanovich explains the problem himself as follows: “There is a message type that is not used for connection establishment, SdpUpdate. If this message is sent to the callee's device while it is ringing, it will cause the device to immediately begin transmitting audio, which could allow an attacker to monitor the callee's environment.”
According to Golem, there are certain conditions for a “successful” attack. On the one hand, it must be possible to call the person being attacked via Messenger, for example through a Facebook friend, and on the other hand, it must be possible for the person being attacked to be logged into Facebook both in Messenger and in a browser. The problem is now said to have been fixed by the new update from Facebook.
There is a so-called bug bounty for discovering the gap
As a reward for her discovery, Silvanovich received $60,000 from Facebook. The payment is not a special feature in itself, but is part of bug bounty program . If you discover a bug that affects Facebook, you can report it to the company within the research community. According to Facebook, over 130,000 reports have been received since 2011, of which 6,900 were deemed worthy of reward by the company.
The payment to Silvanovich is among the three highest rewards to date. zdnet , she doesn't keep the money herself, but donates it to the GiveWell , which rates charity organizations based on their donation efficiency.
[mk_ad]
Even more news about Messenger:
Be careful of this video message in Facebook Messenger!
The scammers' tricks: You get a message on Facebook, you open it and you're shocked. You see your first name and after it it says: “I think I saw you in this video”. More here.
Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )