Patched Bugs in Calling Functionality
Natalie Silvanovich, a security researcher from Google Project Zero has discovered various logic bugs in several instant messengers, that would let an attacker to snoop on the target. She spotted five bugs in seven video conferencing apps, that transmit the audio/video even before the callee accepts the call request.
— Natalie Silvanovich (@natashenka) January 19, 2021 This is concerning since the actual theoretical practice is the other way around. It’s like when the caller makes a call to his contact, he should only be getting the audio response from callee’s side only after the callee accepts the request. But, she observed that some apps are allowing the audio transmission to happen even before the callee accepts the call. She had seen this flaw in apps like Signal, JioChat Facebook Messenger, Mocha, and even in their Google Duo! All of these bugs were spotted in 2020 and patched. This happens not only in terms of audio but also for video calling too in some apps. Google Duo and Mocha transferred video packets to the caller even before the callee accepted in. Talking about the most popular messenger today, WhatsApp, there’s a bug that would crash the app when the user accepts a call. This was patched through after reporting. She hadn’t found any of such bugs in Telegram and Viber.
