After compromising Facebook accounts on screen-locked devices, a researcher receives a $3,000 bug bounty

Jun 15, 2021 09:18 GMT  ·  By

Due to a security vulnerability in Facebook's Messenger Rooms video chat feature, attackers were able to access a victim's private Facebook photos, videos, and posts, according to The Daily Swig.  

As shown in a proof-of-concept video provided to Facebook along with the vulnerability report, a Facebook account could be hijacked by inviting them into a Messenger Room. Even though physical access to a victim's device was required, the attack could be carried out without unlocking a target smartphone or tablet, earning the Nepalese security researcher Samip Aryal a $3,000 bug reward.

The sequel to the security bug 

Aryal's latest discovery was prompted by an earlier, similar Messenger vulnerability he discovered in October 2020. Back then he could expose private stored videos and viewing history during a Messenger conversation via the Watch Together feature.

The issue, which could also be exploited by an attacker with physical access to a locked Android smartphone, was patched along with similar vulnerabilities requiring users to unlock their phones before they could use the features in question.

Aryal chose to apply the same hacking approach to Messenger Rooms' call feature and discovered that the chat function could be activated during a conversation without unlocking the victim's Android smartphone or tablet.

Unlocking the exploit 

The researcher hosted a Messenger Room while logged into a Facebook account on a desktop PC and invited an active account on an Android device to join. After entering the room with the malicious account, he called the victim's device from the Invited Users section, and the target smartphone, whose screen was locked, began ringing within seconds.

Aryal said, “I then picked up the call and tried all previously known sensitive features like ‘watch together’, ‘add people’, etc. but all of them needed to first unlock the phone before using them".

The breakthrough came when the researcher observed an option in the top right-hand corner of the call screen to chat with other room attendees. “I found that I could access all private photos/videos on that device without even unlocking the phone,” as well as submit posts “by clicking on the ‘edit’ option for any media,” he explained.

According to Aryal, Facebook's security team implemented a hotfix for the vulnerability on the client side "as well as on the server side to patch it in previous vulnerable versions of Messenger as well" within a day of the sighting.

The amount of the awesome bounty was a welcome surprise, he said, since the attack scenario required physical access to the victim's device, although the device's primary authentication barrier proved ineffective in this case.