Facebook has patched a critical vulnerability in the Facebook Messenger for Android mobile app, which could have let attackers spy on other Facebook users using audio and video calls.
Natalie Silvanovich, the researcher with Google’s Project Zero who discovered the bug, says it existed in Facebook Messenger’s implementation of a protocol called WebRTC, which the app uses to set up audio and video calls by exchanging “thrift messages” between callee and caller.
Normally, a person receiving a call doesn’t send audio until the call is accepted, Silvanovich said in a write-up of her findings. This step is implemented by either not calling setLocalDescription until the callee has clicked accept, or by setting audio and video media description in the local Session Description Protocol (SDP) to inactive and updating them when the call is accepted.
However, she…