Adam Bannister June 14, 2021 at 12:40 UTC

Updated: June 14, 2021 at 13:27 UTC

Researcher earns $ 3,000 bug bounty after compromising Facebook accounts on locked-to-screen devices

A security breach in Facebook’s Messenger Rooms video chat feature meant that attackers could access a victim’s private Facebook photos and videos, and submit messages, through their locked Android screens.

A user’s Facebook account can be compromised by inviting them to a Messenger room, then calling and answering the call from the target device, before clicking on the chat feature – as shown in a video by validation sent to Facebook with the vulnerability report.

Although requiring physical access to a victim’s device, the attack was able to be carried out without unlocking a target smartphone or tablet and earned Nepalese security researcher Samip Aryal a bug bounty of $ 3,000.

Security bug suite

Aryal’s latest discovery was inspired by a previous similar Facebook Messenger vulnerability he discovered in October 2020, whereby users’ private and recorded videos and viewing history could be exposed through the Watch Together feature during of a Messenger call.

ADVISED SIP protocol abused to trigger XSS attacks via VoIP call monitoring software

Also exploitable by an attacker with physical access to a locked Android device, the bug has been fixed with similar vulnerabilities by forcing users to unlock their phones before using the features in question.

Aryal decided to apply the same hacking technique to Messenger Rooms’ ‘room calling’ feature and discovered that the chat feature could also be activated during a call without unlocking the victim’s Android phone or tablet.

Unlock the feat

Connected to a Facebook account through a desktop computer, the researcher hosted a Messenger room and invited an active account on an Android device to join.

After joining the room from the “malicious” account, he called the victim’s device from the “Guest Users” section, and within seconds the target device locked to the screen started ringing .

“I then picked up the call and tried all the previously known sensitive features like ‘watch together’, ‘add people’ etc., but all had to unlock the phone first before using them,” said Aryal.

Learn about the latest social media security news.

The breakthrough came when the researcher noticed a prompt to “chat” with other room attendees in the upper right corner of the call screen.

“I found out that I could access all private photos / videos on this device without even unlocking the phone,” as well as submit messages “by clicking on the” edit “option for any media,” a he declared.

“Awesome bonus”

Aryal said Facebook’s security team implemented a patch for the vulnerability within a day of triage, on the client side “as well as the server side to also fix it in previous vulnerable versions of Messenger.”

The size of the “impressive bounty” was a pleasant surprise given that the attack scenario required physical access to the victim’s device, he added, even though the main barrier to authentication of the victim was The device has proved to be of little use in this context.

The daily sip asked the researcher for further comments. We will update this article if we receive a response.

DON’T FORGET TO READ IoT security: researchers uncover the risk of eavesdropping on Stem Audio smart speakers