Facebook Messenger Rooms Exploit Bypasses Android Screen Lock
As a result of a security flaw in Facebook’s Messenger Rooms video chat function, attackers are able to gain access to a victim’s private Facebook photographs and videos, as well as submit posts, from their locked Android screen. Messenger Rooms, Facebook’s newest video conferencing service, allows up to 50 individuals to video chat at the same time. You can converse for as long as you want, and you don’t need a Facebook account to join a room.
Rooms calls, like Zoom calls, are not secured end-to-end. Unless you change your preferences, the room will be open to anybody you’re friends with on Facebook when you create it; they’ll not only be able to join, but they’ll also see it at the top of their News Feed. According to a proof-of-concept video supplied to Facebook with the vulnerability report, a user’s Facebook account may be hacked by inviting them to a Messenger Room, then calling and answering the call from the target device before clicking on the chat function.
Despite the fact that physical access to a victim’s device is required, the assault could be carried out without the victim’s smartphone or tablet being unlocked, earning Nepalese security researcher Samip Aryal a $3,000 bug bounty.
Aryal’s newest discovery was inspired by a similar Facebook Messenger flaw he discovered in October 2020, in which users’ private, saved videos and watching history might be exposed during a Messenger call via the Watch Together function. The fault, which could be exploited by an attacker with physical access to a locked Android smartphone, was patched along with other comparable flaws by requiring users to unlock their phones before utilizing the impacted features.
The researcher, who was logged into a Facebook account through a desktop PC, hosted a Messenger Room and invited an account that was active on an Android device to join. After entering the room with the ‘malicious’ account, he called the victim’s device from the ‘invited users’ section, and the target, screen-locked smartphone began ringing within seconds. “I then picked up the call and tried all previously known sensitive features like ‘watch together’, ‘add people’, etc. but all of them needed to first unlock the phone before using them,” said Aryal.
The discovery came when the researcher saw a request in the top right-hand corner of the call screen to ‘chat’ with other participants. “I found that I could access all private photos/videos on that device without even unlocking the phone, as well as submit posts by clicking on the ‘edit’ option for any media”, he said.