It has emerged that a number of video chat apps including Signal have been found to have severe security flaws. As reported by Tech Radar Google's Project Zero security team has found a worrying number of issues.
With many of us plunged inside during 2020 and into 2021 video chat has been an integral part of our way of life. Zoom emerged as the major player in this space over the last 12 months.
However, even Zoom was by no means immune to privacy and security issues. The company is currently under investigation by US prosecutors for reported issues with its privacy practices.
Zoom also had to introduce a range of new security measures in the latter half of 2020. This was to try and curb 'Zoombombers' who were individuals who tried to disrupt chats with negative behaviour.
Given some of the major companies faced security and privacy issues it is hardly surprising that apps such as Signal also have some underlying vulnerabilities.
Major security issues found in video chat apps such as Signal
It is not just Signal that has had its security issues uncovered. Google's Project Zero security team found that Google Duo, Facebook Messenger, and other messaging apps had major issues.
The team found that these apps allowed attackers to listen in on users without their permission. Natalie Silvanovich, a security engineer at Google’s Project Zero reported that her team first found this bug back in 2019 in Group FaceTime.
Silvanovich noted that an attacker "force the call to connect without user interaction from the target". This allowed "the attacker to listen to the target’s surroundings without their knowledge or consent".
Following this initial discovery, the team found the bug to also be present in Signal, Google Duo, Facebook Messenger, JioChat, and Mocha. However, there we no such issues with Telegram or Viber apps following an investigation.
Most worryingly these security flaws required little to no technical skills to exploit. However, since the investigation, the companies involved have patched the bugs in question.
For most apps, it simply allowed for an attacker to listen in on a call. However, in some circumstances, the flaw caused the leak of video packets from unanswered calls. This was the case for Google Duo.
Silvanovich pointed out that there could be a lot more vulnerabilities out there in these apps. Given here team only looked into peer-to-peer calls, not group features she believes more problems may lie in wait for these apps. She recommends this as an area of urgent for companies to look int.