Security News > 2020 > November > Facebook patches Messenger audio snooping bug – update now!
When you make a Messenger call, for example, the app on your device - which could be a mobile phone, a laptop or even something like a smart TV - asks the Messenger cloud to locate the recipient's device, and the apps at each end start negotiating to set up a call.
Once the call is accepted by the recipient - typically after the app has played a ringtone, popped up a message or both, and the recipient has opted in to the call - then the apps start exchanging network packets of audio data.
The apps at each end decide, based on data sent and received in chunks over the network, when to initiate a connection with a view to establishing a call; when to ring to signal an incoming call; when it's OK to start recording and relaying sound; when to mute the call; and when to stop exchanging data and therefore "Hang up" the call and to disconnect the virtual voice circuit.
Greatly simplified, the bug involves an attacker sneaking through an unexpected, additional control message to the app on your phone while the call is still ringing at your end.
The PoC exploit requires you to be logged into Facebook in your browser at the same time as the app announces the incoming call.