Natalie Silvanovich, a security researcher at Google Project Zero, disclosed critical vulnerabilities in multiple messaging and video conferencing mobile apps that allowed malicious actors to snoop into users’ conversations without their permission. The affected applications include Signal, JioChat, Mocha, Google Duo, and Facebook Messenger.
Silvanovich claimed the vulnerability in these platforms is similar to the critical flaw dubbed “Logic bug,” which was discovered in Apple’s FaceTime group chat feature in January 2019. The Logic flaw allowed threat actors to initiate a FaceTime video call and eavesdrop on victims by adding their phone number as a third person in a group chat before the other person accepted the call. Apple removed the FaceTime group chat feature and fixed the issue in a subsequent iOS update.
I found logic bugs that allow audio or video to be transmitted without user consent in five mobile applications including Signal, Duo and Facebook Messenger https://t.co/PlB0PzLzjJ
— Natalie Silvanovich (@natashenka) January 19, 2021
“The ability to force a target device to transmit audio to an attacker device without gaining code execution was an unusual and possibly unprecedented impact of a vulnerability. Moreover, the vulnerability was a logic bug in the FaceTime calling state machine that could be exercised using only the user interface of the device. While this bug was soon fixed, the fact that such a serious and easy to reach vulnerability had occurred due to a logic bug in a calling state machine — an attack scenario I had never seen considered on any platform — made me wonder whether other state machines had similar vulnerabilities as well,” Silvanovich explained.
Logic Bugs in Multiple Apps
Silvanovich stated that she found Logic vulnerabilities in Signal, Google Duo, Facebook Messenger, JioChat, and Mocha messaging apps, which are now patched. Most of these vulnerabilities allowed calls to be connected without interaction from the person on the other end. The other effects of these flaws include:
The vulnerability, which was fixed in December 2020, would disable the video and set up a connection to trigger the callee to leak video packets from unanswered calls. It is because Google Duo’s signaling methodology supports a feature that allows the callee to preview the caller’s video before answering, which is different from other video chat applications.
The audio call flaw, which was fixed in September 2019, in Signal’s Android app allowed the caller to hear the callee’s surroundings as the application didn’t check that the device receiving the connect message was the caller device. This caused the audio call to connect, allowing the caller to hear the callee’s surroundings.
The vulnerability in Facebook Messenger, which was fixed in November 2020, allowed an attacker to initiate a call and send a specially crafted message to a victim who was signed in to both the app and the web browser.
JioChat and Mocha
Silvanovich found two similar vulnerabilities in JioChat (fixed in July 2020) and Mocha (fixed in August 2020). The vulnerabilities allowed a caller to force the victim’s device to send audio and video content without the user’s knowledge.