The 'Interaction-Less' Flaws in Messaging Apps Allowed Hackers to Eavesdrop


Last week, at the Black Hat security conference in Las Vegas, Google’s Project Zero researcher, Natalie Silvanovich presented her findings of remote eavesdropping bugs in communication apps like Signal, Google Duo, and Facebook Messenger, as well as popular international platforms JioChat and Viettel Mocha. 

Natalie was concerned with the surge of bugs in the popular apps. The vulnerability in the Facebook Messenger app could have allowed hackers to listen in on audio from a victim's device. The flaws in Viettel Mocha and JioChat gave advanced access to both audio and video. The Signal flaw exposed audio only and the Google Duo flaw gave video access, but only for a few seconds. These few seconds were enough to record a few frames or grab screenshots.

In early 2019, a bug in group FaceTime calls of iPhone would have allowed threat actors to activate the microphone, and even the camera, of the iPhone they were calling and eavesdrop before the recipient did anything at all. The implications were so severe that Apple blocked the Group FaceTime feature entirely until the company patched the bug. 

“When I heard about that group Face Time bug, I thought it was a unique bug that would never occur again, but that turned out not to be true. This is something we didn’t know about before, but it’s important now for the people who make communication apps to be aware. You're making a promise to your users that you’re not going to suddenly start transmitting audio or video of them at any time, and it’s your burden to make sure that your application lives up to that,” Silvanovich explained.

Silvanovich has kept a close eye on the “interaction-less” flaws, vulnerabilities that don't require their targets to click a malicious link, download an attachment, enter a password in the wrong place, or engage in any way. 

“The idea that you could find a bug where the impact is, you can cause a call to be answered without any interaction—that's surprising. I went on a bit of a tear and tried to find these vulnerabilities in other applications. And I ended up finding quite a few,” says Silvanovich. 

The developers of messaging apps were extremely responsive about patching the flaws within days or a few weeks of her disclosures. All of the bugs have been patched, but the surge of security loopholes in messaging apps emphasizes how common these flaws can be and the need for developers to take them seriously.