We often joke around that hackers or government agencies are listening to our calls. Facebook just patched a bug that would’ve allowed anyone to snoop on your calls on Messenger.
The bug was found by Google Project Zero researcher Natalie Silvanovich last month, and it affected Messenger‘s Android users. To start the attack, the hacker would have to initiate a call and send a specially crafted invisible message. Then they could listen to your audio, even if you don’t pick up the call.
Thankfully, this vulnerability was only exploitable in special circumstances and required specific tools. For instance, both the attacker and the victim would need to have been logged in to Messenger for Android. In addition to that, the victim also needed to be logged into Messenger through a web browser. What’s more, the attacker would need permission to call the victim — meaning, they’d have to already be on the victim’s friend list.
Last year, Apple fixed the bug that let your contacts eavesdrop on you through FaceTime. Silvanovich said after this exploit was found, she began to research other apps. Till now, she’s managed to find bugs in other communication apps such as Signal, Mocha, and JioChat; all of them have been patched.
Facebook revealed details about this bug as a part of the blog on the 10th anniversary of its bug bounty program. The company said it has paid $11.7 million to security researchers for 6,900 accepted bug reports out of more than 130,000 submitted.
Last month, the social network unveiled a new loyalty program, called Hacker Plus, to further incentivize bug sleuths discovering vulnerabilities in Facebook’s platforms.
You can read the full technical description of the vulnerability here.