Google Project Zero security researcher, Natalie Silvanovich has disclosed several vulnerabilities found in multiple video conferencing applications, including Facebook Messenger, Signal, Google Duo, JioChat, and Mocha messaging apps, but which many are now fixed.

The bugs made it possible to transmit audio to the attackers' devices without having to gain any code execution. Such as the Signal bug which was patched in September 2019, that made it possible to connect the audio call by simply sending the connect message from the caller's device to the callee instead of the other way around, without user interaction.

Now, the vulnerability occurred due to a logic bug in a calling state machine, that is, as the recipient never responded with an "answer" before adding tracks to the connection.

How the Bugs in Signal, Facebook Messenger, and Google chat apps let attackers spy on users?



While the majority of messaging apps rely on WebRTC for communication, the connections are often created by exchanging call set-up using Session Description Protocol (SDP) between peers in what's known as signaling, that typically works by sending SDP offer from the caller to which the callee responds with an SDP answer.



If perhaps, a user starts a WebRTC call with another user, a session description called an "offer" will be created containing all the data necessary to set up a connection, like the kind of media, format, the transfer protocol, and the endpoint's IP address and port being used, among others.

Normally, it is expected that a callee consent is ensured ahead of audio transmission and that no information is shared until the receiver interacts with the app to answer the call, before adding tracks to the connection, but Silvanovich observed a contrary result.

The flaws did not only allow calls to be connected without interaction from the callee, but also, it potentially permitted the caller to force a callee device to transmit audio/video data.

All Affected Messaging Apps have released a Fix



Facebook issued a patch for Messenger in November 2020, against the vulnerability that could have granted an attacker logged into the Messenger app to simultaneously initiate a call and send a maliciously crafted message to a target signed in to both the app as well as any other Messenger client like a web browser, and starts receiving audio from the callee device.

And Signal on its part issued a fix in September 2019 for the audio call flaw in Signal's Android app that made it possible for the caller to get the callee's surroundings sound due to the fact that it didn't check if the receiving device that connect message from the callee was actually the caller device.

Other messaging apps including JioChat and Mocha messaging apps have all issued patches for their respective apps. Albeit, such logic bugs in the signaling state machines remains an under-investigated attack surface of video conferencing applications.

Project Zero discloses Critical Bugs in Signal, Messenger and Google chat apps

Google Project Zero security researcher, Natalie Silvanovich has disclosed several vulnerabilities found in multiple video conferencing applications, including Facebook Messenger, Signal, Google Duo, JioChat, and Mocha messaging apps, but which many are now fixed.

The bugs made it possible to transmit audio to the attackers' devices without having to gain any code execution. Such as the Signal bug which was patched in September 2019, that made it possible to connect the audio call by simply sending the connect message from the caller's device to the callee instead of the other way around, without user interaction.

Now, the vulnerability occurred due to a logic bug in a calling state machine, that is, as the recipient never responded with an "answer" before adding tracks to the connection.

How the Bugs in Signal, Facebook Messenger, and Google chat apps let attackers spy on users?



While the majority of messaging apps rely on WebRTC for communication, the connections are often created by exchanging call set-up using Session Description Protocol (SDP) between peers in what's known as signaling, that typically works by sending SDP offer from the caller to which the callee responds with an SDP answer.



If perhaps, a user starts a WebRTC call with another user, a session description called an "offer" will be created containing all the data necessary to set up a connection, like the kind of media, format, the transfer protocol, and the endpoint's IP address and port being used, among others.

Normally, it is expected that a callee consent is ensured ahead of audio transmission and that no information is shared until the receiver interacts with the app to answer the call, before adding tracks to the connection, but Silvanovich observed a contrary result.

The flaws did not only allow calls to be connected without interaction from the callee, but also, it potentially permitted the caller to force a callee device to transmit audio/video data.

All Affected Messaging Apps have released a Fix



Facebook issued a patch for Messenger in November 2020, against the vulnerability that could have granted an attacker logged into the Messenger app to simultaneously initiate a call and send a maliciously crafted message to a target signed in to both the app as well as any other Messenger client like a web browser, and starts receiving audio from the callee device.

And Signal on its part issued a fix in September 2019 for the audio call flaw in Signal's Android app that made it possible for the caller to get the callee's surroundings sound due to the fact that it didn't check if the receiving device that connect message from the callee was actually the caller device.

Other messaging apps including JioChat and Mocha messaging apps have all issued patches for their respective apps. Albeit, such logic bugs in the signaling state machines remains an under-investigated attack surface of video conferencing applications.

No comments