Google researchers report that multiple calling apps had a 'vulnerability that could send ambient sounds to users without permission'
Project Zero: The State of State Machines
https://googleprojectzero.blogspot.com/2021/01/the-state-of-state-machines.html
Bugs in Signal, Facebook, Google chat apps let attackers spy on users
https://www.bleepingcomputer.com/news/security/bugs-in-signal-facebook-google-chat-apps-let-attackers-spy-on-users/
Of the seven video conferencing apps Silvanovich investigated, the five mentioned above were found to be vulnerable. This vulnerability could allow a sending device to send audio and video data to a receiving device. 'Theoretically, getting the recipient's consent before the audio or video is sent can be achieved in a very simple way, without adding a track to PeerConnection until the user receives the call. Looking at real-world applications, it was possible to send data in a variety of ways, and many were due to vulnerabilities that allowed connections without the recipient's permission, 'said Silvanovich. I am.
For example, a Google Duo bug leaked video to the sender of a communication, even if the recipient of the communication didn't actually receive it. This bug has been fixed in December 2020. In addition, Facebook Messenger also had a bug that it became connected before the voice call was taken, but it was fixed in November 2020 . Similar vulnerabilities were found in JioChat and Mocha, but JioChat was fixed in July 2020 and Mocha was fixed in August 2020 . In addition, when Mr. Silvanovich confirmed whether similar vulnerabilities exist in Telegram and Viber , it is said that there was no problem with these two.
In this survey, the group call function was not investigated, only interpersonal calls were targeted, and Silvanovich shows that it is necessary to investigate group calls in the future.
Related Posts:
