20 January 21, 17:56
Quote:Google Project Zero researcher Natalie Silvanovich outlined what she believes is a common theme when it comes to serious vulnerabilities impacting leading chat platforms. The research, published Tuesday, identifies a common denominator within chat platforms, called “calling state machine”, which acts as a type of dial tone for messenger applications.
Silvanovich warns that this common “calling state machine” mechanism used by Signal, Google Duo, Facebook Messenger, JioChat and Mocha is ripe for abuse today and has been the common thread in a litany of past critical bugs.
For example, past bugs in the messaging apps Signal, Google Duo and Facebook Messenger, which had allowed threat actors to spy on users through unauthorized transmission of audio or video, were tied to configuration errors in the “calling state machine”. Those settings, Silvanovich said, are key to setting up simple app consent between user connections.
In all, Silvanovich identified five logic vulnerabilities in the signalling state machines of seven video conferencing applications that “could allow a caller device to force a callee device to transmit audio or video data.”
While all of the vulnerabilities she identified have already been fixed, the prevalence of the errors in how state machines are implemented in these types of apps–as well as a lack of awareness of this type of bug–means that they will continue to pose a threat, Silvanovich said.
Read more: https://threatpost.com/google-research-p...ms/163175/