Facebook has fixed a critical bug in its Messenger app that could have allowed hackers to connect audio calls without the knowledge or approval from the app user.
The vulnerability could have been used to spy on Facebook users via Android phones, reports ZDNet.
The Google researcher reported the issue to Facebook last month, and the social media giant patched it on Wednesday in an update to its Messenger for Android app.
The bug was found during a security audit by Natalie Silvanovich, a researcher working for Google’s Project Zero security team.
In a tweet, Silvanovich said Facebook awarded her a $60,000 bug bounty for reporting the issue.
“There is a message type that is not used for call set-up, SdpUpdate,” Silvanovich was quoted as saying.
- Instagram Users Can Ping You On Facebook Messenger Without Downloading App and Vice Versa
- Facebook Introduces Forwarding Limit In Messenger to Curb Fake News
“If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee’s surroundings.”
The Google researcher reported the issue to Facebook last month.
“This report is among our three highest bug bounties at $60,000, which reflects its maximum potential impact,” Facebook said in a statement.
Silvanovich in 2018 found a bug in WhatsApp for Android and iOS that would have allowed attackers to take over the app after a user answered a video call.