A Facebook Messenger Flaw Could Have Let Hackers Listen In
Facebook has been hosting a bug bounty program for roughly 10 years, which has provided the company with hundreds of bug reports before Facebook employees noticed any vulnerabilities. Recently, Facebook paid out $60,000 to an ethical hacker for reported a bug in Facebook Messenger that could have allowed an attacker to call a target and listen to live audio before picking up. The vulnerability was uncovered by Natalie Silvanovich, a member of Google’s Project Zero bug-hunting team.
Facebook stated that it patched the flaw before it was actively exploited. The bug in Messenger is similar to one found in Apple’s FaceTime group calls last year, which Apple rushed to patch before it became a massive privacy issue. However, this type of vulnerability is difficult to exploit as both the attacker and the target must be logged into Facebook for Android and Messenger at the same time. While the Apple bug was easily exploitable by people with no hacking experience, an attacker leveraging this flaw would have to know technical reverse engineering tools.