Any application on any smart device or platform can suffer from security holes, and this is normal. However, the emergence of these vulnerabilities in messaging applications is more serious. As it directly threatens users' privacy and security. Most messaging apps have a history of security vulnerabilities. Including the well-known FaceTime app from Apple. Which is 2019 suffered from a very dangerous vulnerability that allowed hackers to activate the microphone and camera in conference calls and eavesdrop on them.
This vulnerability was so serious that Apple canceled the group communication feature completely within the application for a period of time until the problem was completely resolved. What increased the seriousness of this vulnerability is that it does not require any action on the part of the user. This is because most vulnerabilities require the user to do something, such as pressing a button or opening a malicious link. However, this loophole and others did not need that.
In general, these vulnerabilities can reach a high level of risk. It may allow the hacker to make or answer the call from your phone himself. This is according to researcher Natalie Silvanovic, who works on Google's Project Zero project.
Silvanovic has worked for many years to discover dangerous vulnerabilities in messaging applications. Specifically, vulnerabilities that do not require any user intervention, known as interaction-less. She revealed her findings at the Black Hat security conference that took place a short time ago.
Serious vulnerabilities have been found in major messaging apps, such as Signal, Google Duo, and Facebook Messenger. Along with other global apps like JioChat and Viettel Mocha. Silvanovic has stated that she thought the vulnerability that appeared in FaceTime previously was so special that it would not appear again, but she is wrong about that.
The researcher found a loophole in the Facebook Messenger application that allows hackers to listen to voice conversations that take place on the target device. Whereas, the JioChat and Viettel Mocha apps contained loopholes that allowed access to audio and video at the same time.
As for the Signal application, it contained a loophole that allowed the hacker to access the audio content on the platform within calls. While the loophole in the Google Duo app allowed access to the video, but for a few seconds. However, it was enough for the hacker to capture some frames.
Silvanovic stated that all of these vulnerabilities were fixed after she reported them. And one of its main reasons is to rely on the open-source WebRTC project to provide real-time communication services.