…

This writeup is about how a user’s Sensitive Private Data like photos/videos saved inside his/her device could have been leaked out through a Facebook Room Call even from a locked Android device.

…

In October 2020; I submitted a valid vulnerability report in Facebook Whitehat Program where users’ private saved videos/watch history could have been exposed from the watch together feature in a Messenger call from a locked Android device.
(Ref- https://infosecwriteups.com/users-private-watched-videos-list-saved-videos-etc-30faa8610b33)

Shortly Summarizing, there; users could have made a messenger call to the victim’s account and then receive the call from the victim’s locked Android phone to use the ‘Watch Together’ feature from the call screen without unlocking the phone thus allowing the intruder to get access to all of the saved videos & Watch History of the Facebook user. So, basically; the vulnerability here was that Facebook was allowing users to use such a sensitive feature like Watch Together even from a locked state of the device. Facebook patched this one along with similar such vulnerabilities by asking first to unlock the phone before using such sensitive features from a locked Android phone.

So, one day; some thoughts triggered in my mind when I suddenly remembered that report:

1) What if, instead of a normal Messenger Call; it was a Room Call?

,

2) Is there similar such sensitive feature available in a room call which can be accessed from outside the lock screen without unlocking the phone?

So, without any delay,

1. I made two test Facebook accounts; one logged into my Android Phone (Let, UserA-Victim) and another logged into my PC(Let, UserB-Attacker).
2. Here, UserA’s Android Phone was in a Locked state.
3. Then, from UserB, I hosted a Messenger Room and invited UserA to the room & joined the room myself too.
4. Then, from UserB; I called UserA from the ‘invited users’ section.
5. After some seconds, the call rung up in UserA’s Locked Android Phone.
6. I then picked up the call and tried all previously known sensitive features like ‘watch together’, ‘add people’, etc. but all of them needed to first unlock the phone before using them.
7. Then, Suddenly, I saw something like this at the top right corner of the call:

There’s a chat option for the group formed between the room attendees.

So, getting excited I clicked it immediately.

Then, as soon as I clicked, a beautiful view popped out like this:

I was like:

Not just because I just knew that I could message the group without even unlocking the phone but because of that gallery option present there at the side of the text box.

So, immediately; I clicked on that option at the fastest possible velocity.

After seeing that scenery, I was like:

I found that I could access all private photos/videos on that device without even unlocking the phone. Moreover; I could post stories to the victim_user’s Logged-In Facebook from the same locked state by clicking on the ‘edit’ option for any media.

So, wrapping up all the information, I quickly made a report to Facebook. Facebook Security Team made a quick-hot fix of the vulnerability at the client-side as well as the server-side to also patch it in previous vulnerable versions of messenger, in just less than a day after triage and rewarded me with an awesome bounty that I didn’t even expect for an attack scenario requiring physical reach to the victim’s device. Though, I appreciate their decision for the bounty based on the scope of what impact this vulnerability would have brought among the Android FB users.

If you would like to check the POC video of this vulnerability that I sent with the report, you can find it here.

…

Thank you for reading this write-up about the simple scenario of a highly impacting vulnerability. If you have any queries/suggestions, I’m available on Facebook/ Instagram.