A Facebook Messenger Flaw Could Have Let Hackers Listen In
It’s been almost a decade since Facebook started offering researchers cash rewards for finding and disclosing vulnerabilities in the company’s platforms. Those same 10 years have proved both the social network’s popularity and serious pitfalls, as its privacy and misinformation-related failures have impacted geopolitics around the world. But the bug bounty program, at least, has consistently been a bright spot, this year paying out two of its three largest rewards ever—including $60,000 for a bug in Facebook Messenger that could have allowed an attacker to call you and start listening to your end before you picked up.
Discovered by Natalie Silvanovich of Google’s Project Zero bug hunting team, the vulnerability, which is now patched, could have been exploited on Messenger for Android if an attacker simultaneously called a target and sent them a specially crafted, invisible message to trigger the attack. From there, the hacker would start hearing audio from the victim’s end of the call, even if they didn’t answer, for however long it rang. The bug bears some similarities to one Apple scrambled to patch last year in FaceTime group calls.