A new found vulnerability in messaging software such as Messenger, Google Duo and Signal allowed recording users.
A team of Google researchers has revealed a vulnerability in some of the most used instant messaging apps, such as Messenger and Signal.
This is the discovery of a researcher from Project Zero, the Google project that brings together security experts to find problems and bugs in programs and the Internet. For example, members of Project Zero discovered the biggest processor vulnerability in history.
The bugs discovered by researcher Natalie Silvanovich in seven instant messaging applications could have been even more dangerous, as they allowed attackers to record audios and videos using the victim’s device, without the victim having to do anything, and without the victim’s consent.
Google discovered serious bugs in messaging apps
The investigation began, when in last January 2019 it was revealed that a bug in the iPhone allowed us to hear and see the person we were calling, before they took the call.
According to Silvanovich, such a serious vulnerability, and at the same time easy to use, occurred because of a logical bug, made him think about whether he could find something similar on other platforms.
And indeed, after reviewing some of the industry’s messaging apps that allow calls and video calls, he discovered that many had similar bugs. That’s because most messaging apps use WebRTC, a real-time communication standard that allows connection between two entities.
As a result, these apps had several security holes, allowing an attacker to make the connection before the user receiving it even had to accept it; as a result, it could record audio and even video directly from the smartphone, in addition to affecting its operation.
Signal is also affected from the vulnerability
One of the apps on the affected list is Signal, which has recently enjoyed spectacular growth thanks precisely to its presentation as a safer alternative to WhatsApp or Telegram. In its case, the vulnerability allowed an attacker to listen directly through the device’s microphone, as the app did not check who was making the call. This problem was solved thanks to an update published in September 2019; in addition, Signal no longer uses WebRTC to make connections.
In contrast, other apps have taken a little longer to fix their bugs; ironically, Google Duo has been the latest, fixing in December 2020 an issue that was filtering video data packets from unanswered calls.
Facebook Messenger is another popular app affected, which fixed the problem in November 2020; in its case, the attacker could initiate a call and at the same time send a message to the target, causing the app to start sending sound to the attacker without showing the call on screen.
It says a lot about the seriousness of the issue that Project Zero has decided not to make these problems public until now. Google started the project with a highly controversial policy, of publishing the vulnerabilities discovered within 90 days, regardless of whether they had been fixed; for example, when it published how to bypass the limitations of Windows 10S before Microsoft could publish the patch.
However, this case appears to have been serious enough for Google to have waited until all the apps (including its own) had patched.
