Vulnerabilities were discovered in several video conferencing mobile apps that allow attackers to listen to a user’s surroundings without consent before the person on the other end picks up the calls.
The vulnerabilities have now been fixed. But, before being patched, targeted devices were forced to transmit audio to attackers, without gaining code execution.
The logic bugs in the Signal, Google Duo, Facebook Messenger, JioChat, and Mocha messaging apps were discovered by Google Project Zero security researcher Natalie Silvanovich.
“I investigated the signaling state machines of seven video conferencing applications and found five vulnerabilities that could allow a caller device to force a callee device to transmit audio or video data,” Silvanovich explained.