A newly discovered vulnerability in Facebook Messenger for iOS has revealed a critical flaw that could disrupt group calls by exploiting emoji reactions.
This denial-of-service (DoS) bug, identified by Signal 11 Research in version 472.0.0 and analyzed in version 477.0.0, has since been patched, but its implications highlight the risks of unencrypted group chats.
Messenger, used by hundreds of millions worldwide, introduced default end-to-end encryption (E2EE) for chats and calls in December 2023.
However, group chats initially lack E2EE, allowing access to features unavailable in encrypted chats—such as emoji reactions during group calls.
This vulnerability, categorized as a denial-of-service (DoS) issue, was triggered by sending an invalid emoji reaction during group calls.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
This seemingly innocuous feature became the focal point of a security flaw that caused Messenger apps on iOS devices to crash.
How the Exploit Works
The vulnerability was uncovered through reverse engineering and dynamic analysis of the Messenger app. Researchers found that emoji reactions in group calls are processed by two key classes: SendEmojiInputModel and ReactionsApi$CProxy.
These classes handle the transmission of emoji data to recipients’ devices.
Using tools like Frida, researchers intercepted and modified the sendEmoji method to send invalid emoji strings instead of valid ones.
For instance, replacing an emoji with a hexadecimal string that does not correspond to any Unicode character—such as F_fe0fACE_WITH_COLON_THREE—triggered a crash on iOS devices participating in the group call.
The invalid data caused the Messenger app to fail when processing the malformed input, leading to a DoS condition for all iOS users in the call. Interestingly, while the Android device used to send the invalid emoji also crashed, other Android recipients remained unaffected.
The root cause lies in how Messenger processes emoji data during group calls. When invalid input is sent, the app fails to validate or handle it gracefully, resulting in a crash.
Address Space Layout Randomization (ASLR) further complicated debugging efforts by shifting memory addresses dynamically.
Researchers mapped loaded modules before triggering the bug to identify the problematic code path. The stack trace revealed that Messenger’s failure to validate input from non-E2EE group chats was at fault, Signal 11 Research said.
Although this vulnerability does not allow remote code execution (RCE), its ability to disrupt communication highlights significant security gaps in non-E2EE environments.
Meta has since patched the issue in newer versions of Messenger for iOS, ensuring robust input validation for emoji reactions.
Users are advised to update their Messenger apps to avoid potential exploitation. Additionally, enabling E2EE for group chats where possible can mitigate similar risks tied to unencrypted features.
This discovery underscores the importance of rigorous testing for all app functionalities—even those as seemingly trivial as emoji reactions—to prevent vulnerabilities that could compromise user experience or system stability.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free