Details of the Facebook Messenger vulnerability were discussed in a proof-of-concept where it was observed that a user’s Facebook account could be hacked using this bug.
A victim could be sent an invite to a Messenger Room by the malicious entity. Subsequently, if the hacker has physical access to the target device, they can call and answer a Messenger call via the invited Messenger room. Then, by clicking on the chat function, the attacker can get access to the victim’s Facebook photos, videos, posts, and similar data which should be typically left inaccessible in any case.
It was also concerning to observe that despite the fact that the hacker needs physical access to the victim’s device in the first place, the attack can be executed without having to unlock the target device or tablet.
Finding the Facebook Messenger vulnerability:
The Facebook Messenger security hole was detected by security researcher Samip Aryal and was also rewarded with a bug bounty of $3000.
His security findings of the Facebook Messenger vulnerability began by logging into a Facebook account via a desktop PC. There, he hosted a Messenger Room and invited an account active on an Android device to join.
After joining the room from the ‘malicious’ account, he called the victim’s device from the ‘invited users’ section, and within a few seconds the target, the screen-locked device started ringing.
“I then picked up the call and tried all previously known sensitive features like ‘watch together’, ‘add people’, etc. but all of them needed to first unlock the phone before using them,” noted Aryal.
The discovery came when Aryal observed a prompt to ‘chat’ with fellow room attendees in the top right-hand corner of the call screen.
“I found that I could access all private photos/videos on that device without even unlocking the phone,” as well as submit posts “by clicking on the ‘edit’ option for any media”, he stated.
Patching the bug:
The critical Facebook Messenger security hole was reported to the social media giant by the security researcher.
Subsequently, a hotfix was released for the vulnerability in a day’s time on the client and server sides so as to apply the patch for the previous versions of the chatting application as well.