Adam Bannister June 14, 2021 at 12:40 UTC
Updated: June 14, 2021 at 12:42 UTC
Researcher earns $ 3,000 bug bounty after compromising Facebook accounts on locked-to-screen devices
A security breach in Facebook’s Messenger Rooms video chat feature meant that attackers could access a victim’s private Facebook photos and videos, and submit messages, through their locked Android screens.
A user’s Facebook account can be compromised by inviting them to a Messenger room, then calling and answering the call from the target device, before clicking on the chat feature – as shown in a video by validation sent to Facebook with the vulnerability report.
Although it requires physical access to a victim’s device, the attack could be executed without unlocking a target smartphone or tablet, and security researcher Samip Aryal won a $ 3,000 bug bounty.
Security bug suite
Aryal’s latest discovery was inspired by a previous similar Facebook Messenger vulnerability he discovered in October 2020, whereby users’ private and recorded videos and viewing history could be exposed through the Watch Together feature during of a Messenger call.
ADVISED SIP protocol abused to trigger XSS attacks via VoIP call monitoring software
Also exploitable by an attacker with physical access to a locked Android device, the bug has been fixed with similar vulnerabilities by forcing users to unlock their phones before using the features in question.
Aryal decided to apply the same hacking technique to Messenger Rooms’ ‘room calling’ feature and discovered that the chat feature could also be activated during a call without unlocking the victim’s Android phone or tablet.
Unlock the feat
Connected to a Facebook account through a desktop computer, the researcher hosted a Messenger room and invited an active account on an Android device to join.
After joining the room from the “malicious” account, Aryal called the victim’s device from the “Guest Users” section, and within seconds the target device locked to the screen started ringing. .
“I then picked up the call and tried all the previously known sensitive features like ‘watch together’, ‘add people’, etc., but all had to unlock the phone first before using them.”
Learn about the latest social media security news.
The breakthrough came when Aryal noticed a prompt to ‘chat’ with other room attendees in the upper right corner of the call screen.
“I found out that I could access all private photos / videos on this device without even unlocking the phone,” as well as submit messages “by clicking on the” edit “option for any media,” a said the researcher.
“Awesome bonus”
Aryal said Facebook’s security team implemented a patch for the vulnerability within a day of triage, on the client side “as well as the server side to also fix it in previous vulnerable versions of Messenger.”
The size of the “impressive bounty” was a pleasant surprise given that the attack scenario required physical access to the victim’s device, the researcher added – although the device’s primary barrier to authentication proved to be of little use in this context.
The daily sip asked the researcher for further comments. We will update this article if we receive a response.
DON’T FORGET TO READ IoT security: researchers uncover the risk of eavesdropping on Stem Audio smart speakers