Google Project Zero researchers disclosed vulnerabilities in several video conferencing and messaging applications that could allow malicious users and threat actors to eavesdrop without getting detected.
The vulnerabilities allowed attackers to listen to the surroundings of the person they called even before the call is picked up.These bugs found in Google Duo, Signal, JioChat, Facebook Messenger, and Mocha messaging apps.
The vulnerabilities were discovered in January 2019 in Apple’s FaceTime group chat feature and allowed users to initiate a FaceTime video call and spy on targets by merely adding their number as a third person in a group chat before the person accepted the incoming call. Apple removed the group chat feature untill the issue was resolved
The vulnerability found in the Signal app was patched in Sep 2019. It allowed attackers to send the connect message from the caller device to the callee without any user interaction. It should actually be the other way around.
The Google Duo bug was a race condition allowing the callees to leak unanswered calls video packets to the caller to connect the audio calls before it was answered. It was patched in Nov 2020.
Facebook Messenger’s bug could allow an attacker to initiate a call and send out a custom message to any target after logging in to the app. The target, however, should be signed in to both the Messenger client and the app, such as the web browser to receive audio from the callee’s device. This bug was also fixed in Nov 2020.
Mocha and JioChat
Two similar flaws were identified in Mocha and JioChat messengers. The bugs allowed sending JioChat audio and Mocha audio/video. Both were fixed in Jul 2020 and Aug 2020 respectively.
Interestingly, all these bugs were discovered in peer-to-peer calls and not in group chat features.
If you are using a messaging app make sure it is updated to the latest version as updates are meant to fix bugs and flaws that are unknown to unsuspecting users but a lucrative opportunity for malicious elements.