This is from zd nut um written by a um, catalan, uh, sim simpanu for zero day i’m, so horrible. If i got your name wrong um, but he wrote um and i’m going to kind of go over this real, quick um facebook messenger had a bug which could have allowed packers to spawn you. So what it would do is it’s patched now so it’s good. They got it patched, um messenger bug could have allowed callers to connect audio calls without colleagues, knowledge or approval yeah, well, that’s, bad Music, and that um, they pretty much said they fixed um right. This is basically was part of the messenger android app and it could have allowed actors to place or connect messenger audio calls without the colleagues, knowledge or interaction. That’S. Bad um they’ve also been used to spy on facebook users through their android phones, that’s, real bad um, and what it was it was. There was a security audit done by uh natalie sila solanovich, a researcher working for google’s project, zero security team who happened to find it uh good on her good job, good job, natalie, awesome, job, um, okay, um. So from what she said it resides in the web. Rtc protocol using to support the audio and video calls um it’s a problem residing in the session description, protocol or sdp, which is part of the webrtc protocol um, and she discovered that the sdsdp message could be abused to auto approve web rtc connections without user interactions.
Um, okay, that’s good that’s bad. That was there it’s good that they caught it um. So they she said that exploding. The drug does take a few seconds and that um, the google recently reported issued to facebook last month, and this will be a giant pitch pass. It today with an update to his messenger android out and it might have taken him you know a month to fix it. I mean that’s, one of the things we’ll try. Oh, it hasn’t worked, this doesn’t work, so you know patching isn’t, hey we found we’d, get it fixed tomorrow. It could take you a month to fix it, but it’s one of those things where you find it and you don’t announce it to people not because you don’t want them to know about it. But you don’t want the bad guys to know about it because let’s say no one knew about this, but she found it contacts, facebook, facebook, dude we’re on it and they get it fixed because she would announce it to the world and facebook goes. Oh crap. We got to fix this and i’ll send all the um. All the black cat guy goes. Oh here’s, something we didn’t know about it. Let’S go exploit it. You know before it um before they fix it. So you know no. So this is why a lot of times you don’t hear until after the fact i know i’ve mentioned this a lot, but i do it just because people should know um.
This support is among the three highest bug boundaries at sixty thousand dollars, which reflects its maximum attention, but facebook said um and she said: um facebook just aborted a bounty of sixty thousand dollars for this bug, which i’m donating to at givewell maximum input fund um. So it sounds like i mean this lady’s not hurting for money on x, 60. Grand would help me out a lot i’ll tell you that much but i’m, not a coder, so um and she’s found um to this, that she has found and reported similar issues on other instant messaging applications, one of her areas of expertise um in 2018. She found a bug and whatsapp for the android ios um. She found a bug in 2019 for four interactions, bugs an ios message and also a fifth. My message brother, could have used to break an iphone that’s bad um, so overall uh this young lady did a very good job. So it applies to her and so uh good thing. I get fixed and again i’m, not a bit i’m, not on facebook.