In the blog on the website of the Google Project Zero team, Natalie Silvanovich (Natalie Silvanovich) described its research on the security of popular applications for communication. She spent the work in 2020 and, in accordance with the unlawful code of the so-called white hackers, published results after the vulnerabilities were eliminated.
Natalie analyzed the logic of the video features in Signal, Facebook Messenger, Google Duo, Jiochat and Mocha. At such a step, it was advocated not only curiosity, but also the previously acquired experience. The fact is that about two years ago in the FaceTime function on Apple devices found a long vulnerability: without the knowledge of the victim, the attacker could capture a picture from the phone camera.
Moreover, it is not in hacking an application, but to use the incorrect logic of the work of the video link itself. At the exchange of packages confirming the connection, the initiating connection can replace the permission to transfer the picture from the target user. And the problem is that on the sacrifice side, the program will consider this manipulation legitimate, even without user actions.
Yes, this scheme has limitations. First, you need to initiate a call and do it in a certain way. That is, the victim will always be able to respond. Secondly, the portion of the data obtained as a result will be very limited. The picture is fixed from the front camera - and it is not a fact that it looks where you need an attacker. In addition, the sacrifice will see the call and either take it or drops it. In other words, it is secretly possible to make sure only the smartphone in the hands of the smartphone when he ranns.
But the situation is still unpleasant, and there can sometimes be enough such information. Natalie found similar vulnerabilities in all the above applications. Their work mechanism differed from the messenger to the messenger, but a fundamentally scheme remained the same. Good news for Telegram and Viber lovers: they are so deprived of such flaw, with their video calls everything is in order. At least, so far have not been identified.
In Google Duo, the vulnerability was closed in December last year, at Facebook Messenger - in November, Jiochat and Mocha were updated in the summer. But before all, Signal corrected a similar mistake, back in September 2019, but this messenger and investigated the first. Thus, cybersecurity experts once again reminded the need for regular updates of installed applications. You can not know about a serious problem, but the developers have already corrected it.
Silvanovich separately notes that she analyzed only the function of video calls between two users. That is, only the case in which the connection is established between the "subscribers" directly. In his report, she announced the next stage of work - group video conferencing in popular messengers.
Source: Naked Science