This article was published on November 20, 2020

Facebook patches a Messenger bug that allowed others to snoop on your calls


Facebook patches a Messenger bug that allowed others to snoop on your calls Image by: Brett Jordan/Unsplash

We often joke around that hackers or government agencies are listening to our calls. Facebook just patched a bug that would’ve allowed anyone to snoop on your calls on Messenger.

The bug was found by Google Project Zero researcher Natalie Silvanovich last month, and it affected Messenger’s Android users. To start the attack, the hacker would have to initiate a call and send a specially crafted invisible message. Then they could listen to your audio, even if you don’t pick up the call. 

Thankfully, this vulnerability was only exploitable in special circumstances and required specific tools. For instance, both the attacker and the victim would need to have been logged in to Messenger for Android. In addition to that, the victim also needed to be logged into Messenger through a web browser. What’s more, the attacker would need permission to call the victim  — meaning, they’d have to already be on the victim’s friend list.

Last year, Apple fixed the bug that let your contacts eavesdrop on you through FaceTimeSilvanovich said after this exploit was found, she began to research other apps. Till now, she’s managed to find bugs in other communication apps such as Signal, Mocha, and JioChat; all of them have been patched. 

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Facebook revealed details about this bug as a part of the blog on the 10th anniversary of its bug bounty program. The company said it has paid $11.7 million to security researchers for 6,900 accepted bug reports out of more than 130,000 submitted.

Last month, the social network unveiled a new loyalty program, called Hacker Plus, to further incentivize bug sleuths discovering vulnerabilities in Facebook’s platforms.

You can read the full technical description of the vulnerability here.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top