It’s been almost a decade since Facebook started offering researchers cash rewards for finding and disclosing vulnerabilities in the company’s platforms. Those same 10 years have proved both the social network’s popularity and serious pitfalls, as its privacy and misinformation-related failures have impacted geopolitics around the world. But the bug bounty program, at least, has consistently been a bright spot, this year paying out two of its three largest rewards ever—including $60,000 for a bug in Messenger that could have allowed an attacker to call you and start listening to your end before you picked up.
Discovered by Natalie Silvanovich of Google’s Project Zero bug hunting team, the vulnerability, which is now patched, could have been exploited on Messenger for Android if an attacker simultaneously called a target and sent them a specially crafted, invisible message to trigger the attack. From there, the hacker would start hearing audio from the victim’s end of the call, even if they didn’t answer, for however long it rang. The bug bears some similarities to one Apple scrambled to patch last year in FaceTime group calls.
“What you would see is the attacker calling you and then the phone ringing and they could listen until you pick up or the call times out,” says Dan Gurfinkel, Facebook’s security engineering manager. “We quickly patched this before it was exploited.”
The vulnerability would have been difficult to exploit in practice for a few reasons. It required that both the attacker and target be logged into Facebook for Android and that the victim also be logged into Messenger in a web browser or some other way. Unlike the FaceTime bug, which a regular user could have exploited, an attacker here would have needed technical reverse-engineering tools to send the special second message. The caller and recipient would also need to be Facebook “friends” for the attack to work, which limits its utility versus being able to call anyone out of the blue. Still, given that Facebook now has more than 2.7 billion active users, it’s possible to find a population of targets that meet almost any parameters.
“After a similar bug was reported in FaceTime last year, I started investigating whether this type of vulnerability existed in other video conferencing applications,” Project Zero’s Silvanovich says. “So far, four bugs have been fixed as a result in Signal, Mocha, JioChat, as well as Facebook Messenger. And I’m still researching other applications.”
Rather than needing to issue a patch in the mobile app, Facebook was able to adjust its own server-side infrastructure to instantly fix the flaw for all users. And the company was able to determine with some certainty that the bug had never been exploited, because no logs contained evidence of the strategic protocol messages attackers would need to send.
Due to the nature of Project Zero’s work, Silvanovich says she would have disclosed the flaw to Facebook whether they were offering bug bounty rewards or not.
Regardless of a participant’s motivations, though, Facebook’s bug bounty offers the highest reward possible for the level of severity—even if the original submission would have only netted a small prize. For example, the program this year awarded $80,000, its highest payout to date, for a submission that itself would have been worth about $500, but led the company’s own security researchers to find a more significant flaw. The vulnerability in Facebook’s “content delivery network,” part of the company’s internal infrastructure for serving data, originally seemed minor. But it hinted at a deeper issue in which some of the system’s URLs remained accessible after they were programmed to expire, creating a potential opening for remote code execution, or remote control, of the CDN. The issue has been fully patched and Gurfinkel says there is no sign it was ever exploited, but bug bounty participant Selamet Hariyanto, a first-time awardee, got an unexpected windfall from a seemingly simple finding.