Messaging apps are incredibly important these days as people are still unable to freely meet in person to talk, whether about personal things or any work/school-related stuff, but according to a security researcher, some of the apps we are using aren't as safe as we think they are.

Messenger Signal Google Duo logic bugs
(Photo : Pexels)
A logic bug that allows attackers to spy on you have been found.

Logic Bugs Found in Messaging Apps

In a report by Bleeping Computer, Google Project Zero security researcher Natalia Silvanovich has found vulnerabilities in several messaging apps including Facebook Messenger, Signal, Google Duo, Mocha, and JioChat which allows attackers to listen to their victim's surroundings without consent before they pick up a call.

Through the logic bugs found in these messaging services, targeted devices are forced to pick up and transmit audio to attackers without the need for any code.

"I investigated the signaling state machines of seven video conferencing applications and found five vulnerabilities that could allow a caller device to force a callee device to transmit audio or video data," Silvanovich explained. "Theoretically, ensuring callee consent before audio or video transmission should be a fairly simple matter of waiting until the user accepts the call before adding any tracks to the peer connection."

However, the security researcher said that when she looked at the applications, it turns out that these types of software enable transmission "in different ways."

Read Also: Malwarebytes Hacked: Dark Halo in SolarWinds Attack is the Perpetrator for the Breach

Patched Bugs

These transmission changes then lead to these certain types of vulnerabilities that would allow calls to be connected even without the consent of the callee.

If you are using the messaging apps, be sure you update them as soon as you can if you haven't yet since the bugs have been fixed and patched to avoid such transmission of audio that could be used by attackers.

According to the report, the vulnerabilities were discovered in JioChat and Mocha messaging apps in July 2020, but JioChat was quick to fix the vulnerability in July 2020.

Meanwhile, Mocha fixed the vulnerability in August 2020.

On the other hand, the Google Duo bug, which allowed callers to leak video packets from an unanswered target device, has been fixed in December 2020, while the Facebook Messenger flaw was fixed in November 2020.

Based on the report, the Messenger bug apparently allowed audio calls to connect even when the callee is yet to answer.

Signal Bug Fixed, Telegram, Viber are Safe

The Signal bug, which was first to have been discovered, had already been patched in September 2019, so it should be entirety safe to use these days.

Silvanovich also checked two other popular messaging apps: Telegram and Viber, but wasn't able to find any similar vulnerability, so your calls are kept secured with the apps, which is good news since most people are choosing these apps amid the WhatsApp privacy policy change as they believe the applications are more secure and private.

As much as possible, update your applications regularly as these updates include fixes to previously known bugs that could be used against you, especially as Silvanovich revealed that most of the calling state machines she had investigated had the same logic vulnerabilities.

The rest of the report is available on Google Project Zero's blog.

Related Article: New Netflix Fake Billing Message Scam! What You Need to Know About It

This article is owned by Tech Times

Written by: Nhx Tingson

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion