Facebook Messenger, Signal: Google discovers several security holes allowing to spy on users

Facebook Messenger, Signal, Google Duo, Mocha or JioChat… These instant messaging services contained critical security vulnerabilities, which made it possible to listen to the user even before he answered the call. It was researchers at Google Project Zero who revealed these vulnerabilities.

messenger security breach
Credits: Pixabay

A computer security researcher from Google Project Zero discovered a series of serious security flaws in several instant messaging applications, such as Facebook Messenger, Google Duo or Signal. “I have found bugs that allow audio and video to be transmitted without user consent on five mobile apps, including Signal, Google Duo and Facebook Messenger ”, writes Natalie Silvanovich on Twitter.

It all started with a bug on FaceTime Video spotted in 2019. Remember, this flaw allowed a hacker to spy on iPhone users, without them needing to pick up. Additionally, an attacker was also able to display the options menu and add themselves to a group chat, without the users’ knowledge.

Read also: Android – a security breach allows you to spy on all your calls

What if the FaceTime Video flaw was found in other apps?

After the controversy generated by this affair, Natacha Silvanovich simply wondered if it was possible to find similar flaws in other instant messaging services. After several months of in-depth analyzes, the computer security researcher has indeed found several vulnerabilities of this type in Signal, JioChat, Mocha, Facebook Messenger or even Google Duo. Here is in detail what these flaws allowed:

  • Signal : A flaw in Signal’s Android application allowed an attacker to hear the recipient’s environment
  • JioChat and Mocha : possibility for an attacker to force the target device to send audio and video streams without the user’s consent. This vulnerability was caused by the fact that the peer-to-peer connection had been established even before the recipient answered the call.
  • Facebook Messenger : Possibility for an attacker connected to the app to simultaneously launch a call and send a corrupted message to a target connected both to the mobile application and to another medium (the Web version of Messenger for example) and to receive the audio from the called device
  • Google Duo : A situation of competition (note: this is a situation characterized by a different result depending on the order in which the actors of the computer system act) between the deactivation of the video and the establishment of the connection, which in some situations can cause video packets to leak after multiple unanswered calls

As Natalie Silvanovich points out, all these flaws have been corrected by the respective developers of these applications. Signal took care of it in June 2019, JioChat and Mocha in the summer of 2020, while Facebook and Google fixed the problems on Messenger and Google Duo at the end of 2020.

Source: Google Project Zero