Security News > 2021 > January > Google Research Pinpoints Security Soft Spot in Multiple Chat Platforms

Google Project Zero researcher Natalie Silvanovich outlined what she believes is a common theme when it comes to serious vulnerabilities impacting leading chat platforms.
The research, published Tuesday, identifies a common denominator within chat platforms, called "Calling state machine", which acts as a type of dial tone for messenger applications.
Past bugs in the messaging apps Signal, Google Duo and Facebook Messenger, which had allowed threat actors to spy on users through unauthorized transmission of audio or video, were tied to configuration errors in the "Calling state machine".
The Google Duo bug, which could cause someone making a call to leak video packets, was fixed in September 2020, while the Facebook Messenger bug, which could cause someone's audio call to connect before he or she had answered the call, was patched about two months later.
"The majority of calling state machines I investigated had logic vulnerabilities that allowed audio or video content to be transmitted from the callee to the caller without the callee's consent," Silvanovich wrote.
Web Real-Time Communications is used in the majority of video-conferencing applications to create connections by exchanging call set-up information in Session Description Protocol between peers, a process that is called signalling.
News URL
Related news
- Google Chrome's AI-powered security feature rolls out to everyone (source)
- Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities (source)
- Hetty: Open-source HTTP toolkit for security research (source)
- Why The Modern Google Workspace Needs Unified Security (source)
- Google paid $12 million in bug bounties last year to security researchers (source)
- Is Security Human Factors Research Skewed Towards Western Ideas and Habits? (source)
- Google Acquires Wiz for $32 Billion in Its Biggest Deal Ever to Boost Cloud Security (source)
- Google to purchase Wiz for $32 billion in cloud security play (source)