Security News > 2021 > January > Bugs in Signal, Facebook, Google chat apps let attackers spy on users
Vulnerabilities found in multiple video conferencing mobile applications allowed attackers to listen to users' surroundings without permission before the person on the other end picked up the calls.
The logic bugs were found by Google Project Zero security researcher Natalie Silvanovich in the Signal, Google Duo, Facebook Messenger, JioChat, and Mocha messaging apps and are now all fixed.
"Theoretically, ensuring callee consent before audio or video transmission should be a fairly simple matter of waiting until the user accepts the call before adding any tracks to the peer connection."
As Silvanovich revealed, a Signal bug patched in September 2019 made it possible to connect the audio call by sending the connect message from the caller devices to the callee one instead of the other way around, without user interaction.
The Google Duo bug, a race condition that allowed callees to leak video packets from unanswered calls to the caller, was fixed in December 2020, while the Facebook Messenger flaw which allowed audio calls to connect before the call was answered was addressed in November 2020.
"The majority of calling state machines I investigated had logic vulnerabilities that allowed audio or video content to be transmitted from the callee to the caller without the callee's consent," Silvanovich added.