WebRTC | Breaking Cybersecurity News | The Hacker News

In January 2019, a  critical flaw  was reported in Apple's FaceTime group chats feature that made it possible for users to initiate a FaceTime video call and eavesdrop on targets by adding their own number as a third person in a group chat even before the person on the other end accepted the incoming call. The vulnerability was deemed so severe that the iPhone maker removed the FaceTime group chats feature altogether before the issue was resolved in a subsequent iOS update. Since then, a number of similar shortcomings have been discovered in multiple video chat apps such as Signal, JioChat, Mocha, Google Duo, and Facebook Messenger — all thanks to the work of Google Project Zero researcher Natalie Silvanovich. "While [the Group FaceTime] bug was soon fixed, the fact that such a serious and easy to reach vulnerability had occurred due to a logic bug in a calling state machine — an attack scenario I had never seen considered on any platform — made me wonder whether other sta

Facebook has patched a bug in its widely installed Messenger app for Android that could have allowed a remote attacker to call unsuspecting targets and listen to them before even they picked up the audio call. The flaw was discovered and reported to Facebook by  Natalie Silvanovich  of Google's Project Zero bug-hunting team last month on October 6 with a 90-day deadline, and impacts version 284.0.0.16.119 (and before) of Facebook Messenger for Android. In a nutshell, the vulnerability could have granted an attacker who is logged into the app to simultaneously initiate a call and send a specially crafted message to a target who is signed in to both the app as well as another Messenger client such as the web browser. "It would then trigger a scenario where, while the device is ringing, the caller would begin receiving audio either until the person being called answers or the call times out," Facebook's Security Engineering Manager Dan Gurfinkel  said . According t

When it comes to ensuring the security of your APIs, there are four critical capabilities.