Main Vulnerability Database SB2021012072

SB2021012072 - Race condition in Google Duo chat app

Published: January 20, 2021

Security Bulletin ID SB2021012072

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Race condition (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a race condition within the way the mobile application implements WebRTC features for voice and video communications. A remote attacker can send specially crafted SDP messages to the affected device while the victim is trying to make a voice or video call and intercept video and audio fragments from the victim's phone before the call is accepted by the callee.

Remediation

Install update from vendor's website.

References

https://www.bleepingcomputer.com/news/security/bugs-in-signal-facebook-google-chat-apps-let-attackers-spy-on-users/
https://bugs.chromium.org/p/project-zero/issues/detail?id=2085&q=duo&can=1