Facebook Messenger Rooms’ flaw allows hackers to steal photos and videos from affected users

A recent security report points to the detection of a security flaw in the Facebook Messenger Rooms video chat feature would allow threat actors to access photos and videos stored on the device of affected Android users. It all starts with a user receiving an invitation to a video call room, calling and answering the call from the target device, which has been demonstrated in a proof-of-concept video shared with Facebook.

This attack requires physical access to the target device, which complicates the chances of attack. However, the attack can be carried out without the need to unlock the smartphone. Samip Aryal, the researcher who informed Facebook about the flaw, received a reward of 3 thousand dollars for his report.

Facebook Messenger Rooms’ flaw allows hackers to steal photos and videos from affected users

The idea behind this report is based on a vulnerability previously found in the messaging platform whose exploitation would have allowed confidential images and videos to be extracted through Facebook Messenger’s Watch Together feature. This vulnerability was fixed by forcing users to unlock the device before responding to a video call.

The researcher decided to apply the same attack method to messenger rooms’ “Room Call” function, discovering that this function would also be affected by a similar flaw. In addition, it is possible to activate the fault during a call without unlocking the victim’s device.

When logging into a Facebook account through a desktop, the researcher hosted a messaging room and invited an active account on an Android device to join. After joining the room from the account that functioned as an attacker, the expert called the victim’s device from the “guest users” section and, within a few seconds, the target device, with a locked screen, began to ring: “I just answered the call and tried all the features previously identified as vulnerable, although most required an unlocked device.”, adds Aryal.

However, the researcher did not delay in noticing the pop-up message to interact with other guests in the chat room: “I discovered that I could access the confidential photos and videos on the device using this feature without unlocking the phone, which allowed me to view some image and video files,” the expert concludes. Facebook received the report and the flaw was immediately corrected.

However, the researcher did not delay in noticing the pop-up message to interact with other guests in the chat room: “I discovered that I could access the confidential photos and videos on the device using this feature without unlocking the phone, which allowed me to view some image and video files,” the expert concludes. Facebook received the report and the flaw was immediately corrected.

The post Facebook Messenger Rooms’ flaw allows hackers to steal photos and videos from affected users appeared first on Cyber Security News | Exploit One | Hacking News.

By admin