Logic bugs found in popular apps, including Signal and FB Messenger

January 20, 2021  By Pierluigi Paganini


Flaws in popular messaging apps, such as Signal and FB Messenger allowed to force a target device to transmit audio to an attacker device.

Google Project Zero security researcher Natalie Silvanovich found multiple flaws in popular video conferencing apps such as Signal and FB Messenger, that allowed to force a target device to transmit audio of the surrounding environment to an attacker device.

The bugs are similar to a logic flaw discovered in January 2019 in Group FaceTime that allowed to hear a person’s audio before he answers,

The logic flaws affect Signal, Google Duo, Facebook Messenger, JioChat, and Mocha messaging apps, the good news is that they have been already fixed by the development teams.

“The ability to force a target device to transmit audio to an attacker device without gaining code execution was an unusual and possibly unprecedented impact of a vulnerability. Moreover, the vulnerability was a logic bug in the FaceTime calling state machine that could be exercised using only the user interface of the device.” reads the post published by Silvanovich. “While this bug was soon fixed, the fact that such a serious and easy to reach vulnerability had occurred due to a logic bug in a calling state machine — an attack scenario I had never seen considered on any platform — made me wonder whether other state machines had similar vulnerabilities as well. “

Most of video conferencing applications use WebRTC, while peers could establish WebRTC connections by exchanging call set-up information in Session Description Protocol (SDP), this process is called signalling.

In a typical WebRTC connection, the caller starts off by sending an SDP offer to the received, which in turn responds with an SDP answer. 

The messages contain most information that is needed to transmit and receive media, including codec support, encryption keys and much more. 

“Theoretically, ensuring callee consent before audio or video transmission should be a fairly simple matter of waiting until the user accepts the call before adding any tracks to the peer connection. However, when I looked at real applications they enabled transmission in many different ways. Most of these led to vulnerabilities that allowed calls to be connected without interaction from the callee.” continues the post.

The logical flaws also potentially allowed the caller to force a callee device to transmit audio or video data.

Silvanovich discovered that data is shared even if the receiver has not interacted with the application to answer the call.

Signal attack
  • Signal addressed the logical bug in the Android version in September 2019. “The application didn’t check that the device receiving the connect message was the caller device, so it was possible to send a connect message from the caller device to the callee. This caused the audio call to connect, allowing the caller to hear the callee’s surroundings”
  • JioChat (flaw in the Android app fixed in July 2020) and Mocha (flaw in the Android app fixed in August 2020). “This design has a fundamental problem, as candidates can be optionally included in an SDP offer or answer. In that case, the peer-to-peer connection will start immediately, as the only thing preventing the connection in this design is the lack of candidates, which will in turn lead to transmission from input devices. I tested this by using Frida to add candidates to the offers created by each of these applications. I was able to cause JioChat to send audio without user consent, and Mocha to send audio and video. Both of these vulnerabilities were fixed soon after they were filed by filtering SDP on the server.
  • Facebook Messenger addressed the bug in November 2020.
  • Google Duo solved the bug in December 2020.

“The majority of the bugs did not appear to be due to developer misunderstanding of WebRTC features. Instead, they were due to errors in how the state machines are implemented. That said, a lack of awareness of these types of issues was likely a factor. It is rare to find WebRTC documentation or tutorials that explicitly discuss the need for user consent when streaming audio or video from a user’s device.” concludes the expert.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, mobile apps)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Livecoin halted operations after the December attack

 The Russian cryptocurrency exchange Livecoin has announced it is terminating its operation following the December cyberattack.  The...