Facebook RU

Main Menu

  • Facebook News
  • Mark Zuckerberg
  • Facebook Messenger
  • Whatsapp
  • Accounts

Facebook RU

Header Banner

Facebook RU

  • Facebook News
  • Mark Zuckerberg
  • Facebook Messenger
  • Whatsapp
  • Accounts
Facebook Messenger
Home›Facebook Messenger›Android screen lock protection thwarted by Facebook Messenger Rooms exploit

Android screen lock protection thwarted by Facebook Messenger Rooms exploit

By Shirley J. Speights
June 14, 2021
0
0



Adam Bannister June 14, 2021 at 12:40 UTC

Updated: June 14, 2021 at 13:27 UTC

Researcher earns $ 3,000 bug bounty after compromising Facebook accounts on locked-to-screen devices

A security breach in Facebook’s Messenger Rooms video chat feature meant that attackers could access a victim’s private Facebook photos and videos, and submit messages, through their locked Android screens.

A user’s Facebook account can be compromised by inviting them to a Messenger room, then calling and answering the call from the target device, before clicking on the chat feature – as shown in a video by validation sent to Facebook with the vulnerability report.

Although requiring physical access to a victim’s device, the attack was able to be carried out without unlocking a target smartphone or tablet and earned Nepalese security researcher Samip Aryal a bug bounty of $ 3,000.

Security bug suite

Aryal’s latest discovery was inspired by a previous similar Facebook Messenger vulnerability he discovered in October 2020, whereby users’ private and recorded videos and viewing history could be exposed through the Watch Together feature during of a Messenger call.

ADVISED SIP protocol abused to trigger XSS attacks via VoIP call monitoring software

Also exploitable by an attacker with physical access to a locked Android device, the bug has been fixed with similar vulnerabilities by forcing users to unlock their phones before using the features in question.

Aryal decided to apply the same hacking technique to Messenger Rooms’ ‘room calling’ feature and discovered that the chat feature could also be activated during a call without unlocking the victim’s Android phone or tablet.

Unlock the feat

Connected to a Facebook account through a desktop computer, the researcher hosted a Messenger room and invited an active account on an Android device to join.

After joining the room from the “malicious” account, he called the victim’s device from the “Guest Users” section, and within seconds the target device locked to the screen started ringing .

“I then picked up the call and tried all the previously known sensitive features like ‘watch together’, ‘add people’ etc., but all had to unlock the phone first before using them,” said Aryal.

Learn about the latest social media security news.

The breakthrough came when the researcher noticed a prompt to “chat” with other room attendees in the upper right corner of the call screen.

“I found out that I could access all private photos / videos on this device without even unlocking the phone,” as well as submit messages “by clicking on the” edit “option for any media,” a he declared.

“Awesome bonus”

Aryal said Facebook’s security team implemented a patch for the vulnerability within a day of triage, on the client side “as well as the server side to also fix it in previous vulnerable versions of Messenger.”

The size of the “impressive bounty” was a pleasant surprise given that the attack scenario required physical access to the victim’s device, he added, even though the main barrier to authentication of the victim was The device has proved to be of little use in this context.

The daily sip asked the researcher for further comments. We will update this article if we receive a response.

DON’T FORGET TO READ IoT security: researchers uncover the risk of eavesdropping on Stem Audio smart speakers



Related posts:

  1. Downtown Owensboro Will Be Bustling With Entertainment This Weekend | Characteristics
  2. Heroin trafficker convicted of causing death of Iowan woman | SiouxlandProud | Sioux City, IA
  3. Instagram Live takes Clubhouse with options to mute and mute video – TechCrunch
  4. Snap continues to crush Facebook in this key demographic

Recent Posts

  • Facebook reinstates week-long ban on political ads ahead of 2022 election
  • Zuckerberg and Chan Donate $1.8 Million to WMC : Kauai Now : Kauai News & Information
  • Hal Shashthi 2022 Images and Balaram Jayanti Wishes: WhatsApp Messages, Greetings, SMS and Wallpapers to Share on this Auspicious Day
  • Which secure messaging app is the best?
  • McDonald’s Australia hits back at claims burgers have shrunk

Archives

  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021

Categories

  • Accounts
  • Facebook Messenger
  • Facebook News
  • Mark Zuckerberg
  • Whatsapp
  • Terms and Conditions
  • Privacy Policy