Main Vulnerability Database SB2021012075

SB2021012075 - Information disclosure in Mocha chat app

Published: January 20, 2021

Security Bulletin ID SB2021012075

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to deisgn errors during implementation of the app. A remote attacker can send specially crafted SDP messages to the affected device while the victim is trying to make a voice or video call and intercept video and audio fragments from the victim's phone before the call is accepted by the callee.

Remediation

Install update from vendor's website.

References

https://www.bleepingcomputer.com/news/security/bugs-in-signal-facebook-google-chat-apps-let-attackers-spy-on-users/
https://bugs.chromium.org/p/project-zero/issues/detail?id=2064&q=mocha&can=1