Bugs in popular chat apps let attackers spy on users. (21-01-2021)

Preface: I found logic bugs that allow audio or video to be transmitted without user consent in five mobile applications including Signal, Duo and Facebook Messenger, said Natalie Silvanovich.

Background: Bugs in Signal, Google chat apps let attackers spy on users. Such vulnerability is given by programming code, and was not due to WebRTC functionality. Furthermore , expert found that facebook messenger is vulnerable to this matter perhaps they are not using WebRTC. Facebook official say that they use ‘fbthrift’. What is Thrift. Facebook’s branch of Apache Thrift, including a new C++ server.\ \.

For the details of vulnerability. You can found on the following website – https://googleprojectzero.blogspot.com/2021/01/the-state-of-state-machines.html

Supplement: Discovering this vulnerability let us know the function of Frida hook framework. Frida is a hook framework based on python + javascript. To exploit the design weakness on Facebook Messenger. It was not straightforward because of the amount of reverse engineering required. Finally Frida hook framework complete the task.

Reference: Instrumentation technology

Instrumentation technology refers to injecting additional code into the program to collect runtime information. It can be divided into two types:

(1) Source Code Instrumentation (SCI): Additional code is injected into the program source code.

(2) Binary Instrumentation: Extra code is injected into the binary executable file.

‚óŹStatic Binary Instrumentation (SBI): Insert additional code and data before program execution to generate a permanently changed executable file.

‚óŹDynamic Binary Instrumentation (DBI): Insert additional code and data in real time while the program is running, without any permanent changes to the executable file.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.