Then, they needed to invite them to Messenger Rooms via a different device and Facebook account, make a call, and then answer it on the target device before clicking Chat.
Once these steps are completed, an attacker will gain access to the victim’s Android device – without needing to unlock it.
The bad actor could then spread the rumor through the victim’s personal photos and videos, as well as publish posts on the target’s Facebook account.
While the exploit required physical access to the target’s Android phone, the fact that it was able to bypass any need to unlock the device made it a potentially nasty and dangerous threat.
Facebook offered Aryl a bounty of $3,150 for bringing the issue to their attention, which they quickly patched.