A recent security report points to the detection of a security flaw in the Facebook Messenger Rooms video chat feature would allow threat actors to access photos and videos stored on the device of affected Android users. It all starts with a user receiving an invitation to a video call room, calling and answering the call from the target device, which has been demonstrated in a proof-of-concept video shared with Facebook.
This attack requires physical access to the target device, which complicates the chances of attack. However, the attack can be carried out without the need to unlock the smartphone. Samip Aryal, the researcher who informed Facebook about the flaw, received a reward of 3 thousand dollars for his report.
The idea behind this report is based on a vulnerability previously found in the messaging platform whose exploitation would have allowed confidential images and videos to be extracted through Facebook Messenger’s Watch Together feature. This vulnerability was fixed by forcing users to unlock the device before responding to a video call.
The researcher decided to apply the same attack method to messenger rooms’ “Room Call” function, discovering that this function would also be affected by a similar flaw. In addition, it is possible to activate the fault during a call without unlocking the victim’s device.
When logging into a Facebook account through a desktop, the researcher hosted a messaging room and invited an active account on an Android device to join. After joining the room from the account that functioned as an attacker, the expert called the victim’s device from the “guest users” section and, within a few seconds, the target device, with a locked screen, began to ring: “I just answered the call and tried all the features previously identified as vulnerable, although most required an unlocked device.”, adds Aryal.
However, the researcher did not delay in noticing the pop-up message to interact with other guests in the chat room: “I discovered that I could access the confidential photos and videos on the device using this feature without unlocking the phone, which allowed me to view some image and video files,” the expert concludes. Facebook received the report and the flaw was immediately corrected.
However, the researcher did not delay in noticing the pop-up message to interact with other guests in the chat room: “I discovered that I could access the confidential photos and videos on the device using this feature without unlocking the phone, which allowed me to view some image and video files,” the expert concludes. Facebook received the report and the flaw was immediately corrected.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.