Security News > 2020 > November > Facebook Messenger Bug Lets Hackers Listen to You Before You Pick Up the Call
In a nutshell, the vulnerability could have granted an attacker who is logged into the app to simultaneously initiate a call and send a specially crafted message to a target who is signed in to both the app as well as another Messenger client such as the web browser.
"It would then trigger a scenario where, while the device is ringing, the caller would begin receiving audio either until the person being called answers or the call times out," Facebook's Security Engineering Manager Dan Gurfinkel said.
According to a technical write-up by Silvanovich, the flaw resides in WebRTC's Session Description Protocol - which defines a standardized format for the exchange of streaming media between two endpoints - allowing an attacker to send a special type of message known as "SdpUpdate" that would cause the call to connect to the callee's device before being answered.
In some ways, the vulnerability bears similarity to a privacy-eroding flaw that was reported in Apple's FaceTime group chats feature last year that made it possible for users to initiate a FaceTime video call and eavesdrop on targets by adding their own number as a third person in a group chat even before the person on the other end accepted the incoming call.
The caller would have to already have the permissions to call a specific person - in other words, the caller and the callee would have to be Facebook friends to pull this off.