Facebook has patched a significant flaw in the Android version of Facebook Messenger that could have allowed attackers to spy on users and potentially identify their surroundings without them knowing.
Natalie Silvanovich, a security researcher at Google Project Zero, discovered the vulnerability, which she said existed in the app’s implementation of WebRTC, a protocol used to make audio and video calls by “exchanging a series of thrift messages between the callee and caller,” she explained a description posted online.
In a normal scenario, audio from the person making the call would not be transmitted until the person on the other end accepts the call. This is rendered in the app by either not calling setLocalDescription until the person being called has clicked the “accept button,” or setting the audio and video media descriptions in the local Session Description Protocol (SDP) to inactive and updating them when the user clicks ...
Copyright of this story solely belongs to threatpost.com . To see the full text click HERE