Emoji Exploit Targets iOS Messenger Group Calls

Home/Exploitation, Internet Security, Mobile Security, Security Advisory, Security Update, vulnerability/Emoji Exploit Targets iOS Messenger Group Calls

Emoji Exploit Targets iOS Messenger Group Calls

A new vulnerability in Facebook Messenger for iOS could disrupt group calls by exploiting emoji reactions.

Discovered by Signal 11 Research in version 472.0.0 and analyzed in version 477.0.0, this denial-of-service (DoS) bug has been patched. It highlights the risks of unencrypted group chats.

Messenger, used by millions, added end-to-end encryption (E2EE) for chats and calls in December 2023.

But group chats don’t have E2EE yet, allowing features like emoji reactions during group calls, which aren’t available in encrypted chats.

This denial-of-service (DoS) vulnerability was triggered by sending an invalid emoji reaction during group calls, causing Messenger apps on iOS devices to crash.

How the Exploit Works

The vulnerability was found through reverse engineering and analysis of the Messenger app. Researchers discovered that emoji reactions in group calls are processed by two main classes: SendEmojiInputModel and ReactionsApi$CProxy, which handle the emoji data transmission.

By using tools like Frida, researchers modified the sendEmoji method to send invalid emoji strings. For example, replacing an emoji with a string like F_fe0fACE_WITH_COLON_THREE triggered a crash on iOS devices in the group call.

The invalid data caused the Messenger app to crash when processing the malformed input, leading to a DoS condition for all iOS users in the call. While the Android device that sent the invalid emoji also crashed, other Android recipients were unaffected.

The issue comes from how Messenger handles emoji data in group calls. When invalid input is sent, the app fails to process it properly, causing a crash.

Address Space Layout Randomization (ASLR) made debugging harder by changing memory addresses.

Researchers mapped the modules before triggering the bug to find the faulty code. The stack trace showed that Messenger failed to validate input from non-E2EE group chats, according to Signal 11 Research.

While this vulnerability doesn’t allow remote code execution (RCE), it can disrupt communication, exposing security gaps in non-E2EE chats.

Meta has patched the issue in newer Messenger versions for iOS, adding better input validation for emoji reactions.

Users should update their Messenger apps to prevent exploitation and enable E2EE for group chats to reduce risks.

This highlights the need for thorough testing of all app features, even simple ones like emoji reactions, to prevent vulnerabilities.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 231
By | 2024-12-17T00:10:26+05:30 December 12th, 2024|Exploitation, Internet Security, Mobile Security, Security Advisory, Security Update, vulnerability|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!