Bugs in various chat apps let attackers spy on users


Vulnerabilities found in multiple video conferencing mobile applications allowed attackers to concentrate on users’ surroundings without permission before the person on the opposite end picked up the calls.

The logic bugs were found by Google Project Zero security researcher Natalie Silvanovich in the Signal, Google Duo, Facebook Messenger, JioChat, and Mocha messaging apps and are now all fixed.

However, before being patched, they made it possible to force targeted devices to transmit audio to the attackers’ devices without the necessity of gaining code execution.

“I investigated the signaling state machines of seven video conferencing applications and located five vulnerabilities that would allow a caller device to force a caller device to transmit audio or video data,” Silvanovich explained.

“Theoretically, ensuring caller consent before audio or video transmission should be a reasonably simple matter of waiting until the user accepts the decision before adding any tracks to the peer connection.

“However, once I checked out real applications they enabled transmission in many various ways. Most of those led to vulnerabilities that allowed calls to be connected without interaction from the caller.”

As Silvanovich revealed, a sign bug patched in September 2019 made it possible to attach the audio call by sending the connect message from the caller devices to the caller one rather than the opposite way around, without user interaction.

The Google Duo bug, a race condition that allowed callers to leak video packets from unanswered calls to the caller, was fixed in December 2020, while the Facebook Messenger flaw which allowed audio calls to attach before the decision was answered was addressed in November 2020.

Two similar vulnerabilities were discovered within the JioChat and Mocha messengers in July 2020, bugs that allowed sending JioChat audio (fixed in July 2020) and to send Mocha audio and video (fixed in August 2020) after exploitation, without user consent.

Silvanovich also searched for similar bugs in other video conferencing apps, including Telegram and Viber, but didn’t find any such issues.

“The majority of calling state machines I investigated had logic vulnerabilities that allowed audio or video content to be transmitted from the caller to the caller without the caller’s consent,” Silvanovich added.

“It is additionally concerning to notice that I didn’t check out any group calling features of those applications, and every one the vulnerabilities reported were found in peer-to-peer calls. This is a neighborhood for future work that would reveal additional problems.”

Two years ago, Silvanovich also found a critical vulnerability in the WhatsApp mobile messaging app that could have been activated simply by a user answering a call to crash or fully compromise the app.


Please enter your comment!
Please enter your name here