Security News > 2021 > January > Google Research Pinpoints Security Soft Spot in Multiple Chat Platforms

Google Project Zero researcher Natalie Silvanovich outlined what she believes is a common theme when it comes to serious vulnerabilities impacting leading chat platforms.

The research, published Tuesday, identifies a common denominator within chat platforms, called "Calling state machine", which acts as a type of dial tone for messenger applications.

Past bugs in the messaging apps Signal, Google Duo and Facebook Messenger, which had allowed threat actors to spy on users through unauthorized transmission of audio or video, were tied to configuration errors in the "Calling state machine".

The Google Duo bug, which could cause someone making a call to leak video packets, was fixed in September 2020, while the Facebook Messenger bug, which could cause someone's audio call to connect before he or she had answered the call, was patched about two months later.

"The majority of calling state machines I investigated had logic vulnerabilities that allowed audio or video content to be transmitted from the callee to the caller without the callee's consent," Silvanovich wrote.

Web Real-Time Communications is used in the majority of video-conferencing applications to create connections by exchanging call set-up information in Session Description Protocol between peers, a process that is called signalling.

News URL

https://threatpost.com/google-research-pinpoints-security-soft-spot-in-multiple-chat-platforms/163175/