Facebook has recently patched a bug on their Instant Messaging application; a bug that would have allowed anyone to listen in other people’s Messenger calls.
The bug was found by Natalie Silvanovich, a Google Project Zero researcher. Last month she discovered that hackers could potentially exploit a bug in Messenger’s code; a bug which allowed the hacker to essentially send an invisible message to another user and then listen in on their audio, even if they hadn’t picked up their call.
Fortunately, the bug was caught early, before any reported cases and Facebook patched it up. It was also doable under specific circumstances: The attacked would have needed permission to call the user, which means that they were already in their friends list, they also both needed on Messenger for Android. The victim also needed to be logged in to Messenger through a web browser, which is highly unusual.
Facebook revealed details about this bug recently on the 10th anniversary of their bug bounty program. This is set up for people who can essentially find and report bugs in their applications. The company said that they have paid around 11.7 million dollars in bounty to security researchers for 6,900 bugs reported and accepted. More than 130,000 were submitted.
A similar bug involving Apple’s Facetime unveiled itself last year. The bug involved people in your contacts calling you and then overhearing your audio even if you had not answered the call. Silvanovich started researching other messaging application after the Facetime bug came to light. She has since found similar bugs on many of them. All of them, she said, have been reported and fixed by their respective companies.