Signal, Facebook and Google among apps open to eavesdropping

The bugs could allow criminals to listen in on private calls without the target's knowledge

A researcher from Google's Project Zero team has revealed details of security vulnerabilities in widely used video chat apps, enabling bad actors to eavesdrop on the target's surroundings without their knowledge.

According to security engineer Natalie Silvanovich, the bugs existed in Signal, Google Duo and Facebook Messenger, as well as other apps mostly used in Asia. They allowed attackers to listen in on a call recipient without the target being alerted.

Each vendor has since patched the bugs - some faster than others.

"On January 29, 2019, a serious vulnerability was discovered in Group FaceTime which allowed an attacker to call a target and force the call to connect without user interaction from the target," Silvanovich wrote in a blog post.

"The bug was remarkable in both its impact and mechanism," she added.

The flaw was so serious that Apple removed the FaceTime group chats feature before it could address the issue in a subsequent iOS update.

Following the discovery of the FaceTime bug, Project Zero team investigated several other messaging apps and identified similar flaws affecting Signal, Facebook Messenger, Google Duo, JioChat (mostly used in India), and Mocha (prevalent in Vietnam).

No such issues were found in the Viber or Telegram apps, Silvanovich said, adding that significant reverse engineering challenges made Viber investigation "less rigorous" than the others.

Signal, which has recently seen a massive increased in its user base, patched the vulnerability in September 2019. It is unlikely that many Signal users will be vulnerable to the bug now.

Silvanovich said that the Signal iOS app had a similar logical issue, but an error in the UI (caused by the unexpected sequence of states) prevented the call from being connected without the receiver's knowledge.

Facebook patched the flaw in its Messenger app in November 2020, while Google addressed the issue in December 2020. In Google Duo, the vulnerability caused the receiving device to leak video packets from unanswered calls.

Bugs in JioChat and Mocha were also patched last year, in July and August, respectively.

Silvanovich says she reviewed only one-to-one calling functions in her investigation and did not look at group calling features.

"This is an area for future work that could reveal additional problems," she added.