Google's Project Zero researcher Natalie Silvanovich found several "interaction-less" vulnerabilities in messaging apps. These remote eavesdropping bugs do not require users to click a malicious link, download an attachment, or interact in any way.
The bugs, all of which have been patched, involved exposing audio only in Signal and Facebook Messenger, video only in Google Duo, and both audio and video in JioChat and Viettel Mocha. Silvanovich found that some of the vulnerabilities were related to developers misunderstanding or poorly implementing features from the WebRTC open source project, as well as flaws in design decisions related to when and how the service sets up calls.
"A reason a lot of these bugs happened is, people who designed these systems didn't think about the promises they were making in terms of when audio and video are actually being transmitted and verify that they were being kept," Silvanovich said.
View Full Article – May Require Paid Registration
Abstracts Copyright © 2021 SmithBucklin, Washington, DC, USA
No entries found