Facebook has fixed a critical flaw within the Facebook Messenger for Android messaging app. The bug could have allowed an attacker to log in as the authenticated user on Messenger for Android and can simultaneously initiate a call and send an unintended message type to someone logged in on Messenger for Android users or to any other Messenger user lets say user operating from browser.
It would then trigger a scenario where, while the device is ringing, the decision ear would begin receiving audio either until the person being called answers or the call times out. to take advantage of this issue, an attacker would need to have already got the permissions to call this particular person by passing certain eligibility checks (e.g. being friends on Facebook). They’d also got to use reverse engineering tools to control their own Messenger application to force it to send a custom message.
After fixing the reported bug server-side, Facebook security researchers applied additional protections against this issue across their apps that use an equivalent protocol for 1:1 calling. consistent with Facebook, this report is among the three highest bug bounties at $60,000, which reflects its maximum potential impact.
Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco , Calif.-based provider of mobile security solutions, explains this isn’t the primary time we’ve seen an attack like this. He also stated that last year also, it has been reported that an attacker could inject commercial spyware into a tool via unanswered WhatsApp calls. Attackers will find creative ways to bypass the native security measures built into apps and devices so as to discreetly compromise the device.
This vulnerability especially could be used to execute a highly effective spying campaign on targeted individuals. It’s inexpensive and straightforward thanks to be ready to pay attention to certain individuals. It’s another example of how attackers can advantage personal applications on devices to steal corporate information. This is often unique because it doesn’t require any direct interaction with the target and no malware must be installed.
Mobile devices are the key to productivity, so cybercriminals are increasingly exploiting mobile vulnerabilities on outdated apps and OS versions to initiate their attack. If a user is running an outdated version of Facebook Messenger looking forward, might unintentionally exploit sensitive information to attackers. It’s absolutely necessary to know what mobile apps are running on your employee mobile devices, especially if you permit them to use personal devices to access corporate data. Outdated apps could put you out of alignment with compliance standards to cause unintentional data leakage.