Bugs in Signal, other video chat apps allowed attackers to listen in on users

2021-01-21 11:28

Bugs in several messaging/video chat mobile apps allowed attackers to spy on targeted users's surroundings.

The vulnerabilities - in Signal, Google Duo, Facebook Messenger, JioChat, and Mocha - could be triggered by simply placing a call to the target's device - no other action was needed.

The bug, discovered by a Tucson high-schooler, would allow the initiator of a Group FaceTime call to listen to what was happening in the target device's surroundings even if the target doesn't pick up the call.

She decided to check whether other popular messaging platforms with video conferencing capabilities sported similar vulnerabilities, and she found some in Signal Messenger, Google Duo, Facebook Messenger, JioChat, and Mocha.

"I looked at Telegram in August 2020, right after video conferencing was added to the application. I did not find any problems, largely because the application does not exchange the offer, answer or candidates until the callee has answered the call. I looked at Viber in November 2020, and did not find any problems with their state machine, though challenges reverse engineering the application made this analysis less rigorous than the other applications I looked at."

The root of these vulnerabilities differed, but all allowed the caller to hear the callee's surroundings.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/Pvmp2UgSt4c/

#chat #signal

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Signal		3	2	9	2	1	14