A security vulnerability in Facebook’s Messenger Rooms video chat feature meant attackers could access a victim’s private Facebook photos and videos, and submit posts, via their locked Android screen.
A user’s Facebook account could be compromised by inviting them to a Messenger Room, then calling, and answering the call from, the target device, before clicking on the chat function – as demonstrated by a proof-of-concept video sent to Facebook with the vulnerability report.
Despite requiring physical access to a victim’s device, the attack could be executed without unlocking a target smartphone or tablet and netted Nepalese security researcher Samip Aryal a $3,000 bug bounty.
Security bug sequel
Aryal’s latest find was inspired by a previous, similar Facebook Messenger vulnerability he unearthed in October 2020, whereby users’ private, saved videos and viewing history could be exposed via the Watch Together feature during a Messenger call.
Also exploitable by an attacker with physical access to a locked Android device, the bug was patched along with similar vulnerabilities by forcing users to unlock their phone before using the features in question.
Aryal decided to apply the same hacking technique to the Messenger Rooms ‘room call’ function, and discovered that the chat function could also be activated during a call without unlocking the victim’s Android phone or tablet.
Unlocking the exploit
Logged into a Facebook account via desktop PC, the researcher hosted a Messenger Room and invited an account active on an Android device to join.
After joining the room from the ‘malicious’ account, he called the victim’s device from the ‘invited users’ section, and within a few seconds the target, screen-locked device started ringing.
“I then picked up the call and tried all previously known sensitive features like ‘watch together’, ‘add people’, etc. but all of them needed to first unlock the phone before using them,” said Aryal.
The breakthrough came when the researcher noticed a prompt to ‘chat’ with fellow room attendees in the top right-hand corner of the call screen.
“I found that I could access all private photos/videos on that device without even unlocking the phone,” as well as submit posts “by clicking on the ‘edit’ option for any media”, he said.
‘Awesome bounty’
Aryal said Facebook’s security team implemented a hotfix for the vulnerability within a day of triage, on the client side “as well as the server-side to also patch it in previous vulnerable versions of messenger”.
The size of the “awesome bounty” came as a pleasant surprise given the attack scenario required physical access to the victim’s device, he added – albeit the device’s primary authentication barrier proved to be of little use in this context.
The Daily Swig has asked the researcher for further comment. We will update this article should we receive a response.
