Bugs Founded in Facebook, Signal, Jio Chat, Google Duo that sanctions the hackers to hijack user data!

Bugs Founded in Facebook, Signal, Jio Chat, Google Duo that sanctions the hackers to hijack user data!

Multiple vulnerabilities are found in video conferencing mobile applications that assist the attackers to steal user data with their permissions as the person picked up and ends the call.

Bugs Founded in Facebook, Signal, Jio Chat, Google Duo that sanctions the hackers to hijack user data!

This bug was reported by Google security researcher Natalie Silvanovich that includes Signal, Facebook, Google Duo, Messenger, Jio Chat, Mocha messaging application.

Before these bugs are patched they permit the hackers to force the users to get the transmitted audio send from sender to receiver without the code of execution.

What Passed in this Bug?

Bugs Founded in Facebook, Signal, Jio Chat, Google Chat

According to Silvanovich, the entire investigation was signaling these video conferencing applications, and more than five vulnerabilities founded that permit the caller to force a callee device while transmitting the audio or video data.

Theoretically, it is very important to take the callee consent before audio or video transmission. It shoulda fair and simple matter until or unless the user accepts the call before adding the tracks to the connection.

The majority of messaging applications rely on WebRTC for communication purposes, while connecting the people and exchanging the information using the SDP tool between connected peers is called signaling.

What is WebRTC?

Bugs Founded in Facebook, Signal, Jio Chat, Google Chat that sanctions the hackers to hijack user data!

When the users initiate a WebRTC call to another user then a session is created that is called an offer which contains all the information required for setting a connection. This entire process is a state machine which signifies that the signaling the exchange to the offer and while answering the current connection.

Both the devices have to share the information while establishing the connection or exchanging the audio and video data from the peer-to-peer connection. But before this overall process works, and media data is stored and has to be attached in the connection called tracks.

Therefore it is expected that with the callee concern no data is to be shared over a call.

As per the investigation, the researcher said that they enable the transmission in several ways and let to the vulnerabilities that permit them to be connected without the callee concern.

The security researcher also added that in Signal the vulnerability that was patched now will initiate a direct call to the sender with user interaction. Whereas in Google duo the bug spotted permits the callees to leaked the video packets even from the unreceived calls, which was fixed in December 2020. On the other hand, Facebook Messenger automatically connects the call before the callee answered.

Whereas in July 2020 JioChat and Mocha messengers faced similar vulnerabilities that authorize the hacker to send audio and video without user consent.

Conclusion

The overall bug founded in these applications is that they allowed the hackers to transmitted the audio and video from callee to the caller with callee’s permission. These vulnerabilities will be founded in peer-to-peer calls and didn’t examine the group calling feature.

Leave a Reply