"What you would see is the attacker calling you and then the phone ringing and they could listen until you pick up or the call times out," says Dan Gurfinkel, Facebook's security engineering manager. "We quickly patched this before it was exploited."
The vulnerability would have been difficult to exploit in practice for a few reasons. It required that both the attacker and target be logged into Facebook for Android and that the victim also be logged into Messenger in a web browser or some other way. Unlike the FaceTime bug, which a regular user could have exploited, an attacker here would have needed technical reverse-engineering tools to send the special second message. The caller and recipient would also need to be Facebook "friends" for the attack to work, which limits its utility versus being able to call anyone out of the blue. Still, given that Facebook now has more than 2.7 billion active users, it's possible to find a population of targets that meet almost any parameters.
"After a similar bug was reported in FaceTime last year, I started investigating whether this type of vulnerability existed in other video conferencing applications," Project Zero's Silvanovich says. "So far, four bugs have been fixed as a result in Signal, Mocha, JioChat, as well as Facebook Messenger. And I’m still researching other applications."
Rather than needing to issue a patch in the mobile app, Facebook was able to adjust its own server-side infrastructure to instantly fix the flaw for all users. And the company was able to determine with some certainty that the bug had never been exploited, because no logs contained evidence of the strategic protocol messages attackers would need to send.
Due to the nature of Project Zero's work, Silvanovich says she would have disclosed the flaw to Facebook whether they were offering bug bounty rewards or not.Regardless of a participant's motivations, though, Facebook's bug bounty offers the highest reward possible for the level of severity—even if the original submission would have only netted a small prize. For example, the program this year awarded $80,000, its highest payout to date, for a submission that itself would have been worth about $500, but led the company's own security researchers to find a more significant flaw. The vulnerability in Facebook's "content delivery network," part of the company's internal infrastructure for serving data, originally seemed minor. But it hinted at a deeper issue in which some of the system's URLs remained accessible after they were programmed to expire, creating a potential opening for remote code execution, or remote control, of the CDN. The issue has been fully patched and Gurfinkel says there is no sign it was ever exploited, but bug bounty participant Selamet Hariyanto, a first-time awardee, got an unexpected windfall from a seemingly simple finding.
And so simultaneously the company mounted a huge effort, led by CTO Mike Schroepfer, to create artificial intelligence systems that can, at scale, identify the content that Facebook wants to zap from its platform, including spam, nudes, hate speech, ISIS propaganda, and videos of children being put in washing machines.