Facebook has fixed a critical bug in its Messenger app that could have allowed hackers to connect audio calls without the knowledge or approval from the app user.
The vulnerability could have been used to spy on Facebook users via Android phones. The Google researcher reported the issue to Facebook last month, and the social media giant patched it on November 18 in an update to its Messenger for Android app.
The bug was found during a security audit by Natalie Silvanovich, a researcher working for Google’s Project Zero security team. Dan Gurfinkel, Facebook’s security engineering manager said in a blog post, said, “What you would see is the attacker calling you and then the phone ringing and they could listen until you pick up or the call times out.” “We quickly patched this before it was exploited.” Facebook noted, “Rooms is built on Messenger, so it uses the same technology to encrypt a video and audio conversation between people as it travels from their devices to our servers that we have placed in only a handful of countries that have strong rule of law. Rooms are not end-to-end encrypted. While there are significant challenges to providing end-to-end encryption for video calling with large groups of people, we’re actively working toward this for Messenger and Rooms.”