State machine bug in Signal app, you can send the callee the message the caller gets when the callee answers and the callee will think the call has started and enable the mic. No user interaction, but with log and indication (https://twitter.com/moxie/status/1180261210341511168), fixed same day.
"possible to bypass authentication by presenting to the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication"
Also, Apple had a FaceTime bug of very similar nature:
"you begin calling somebody via FaceTime Video from within the Phone app. Before that person picks up, you can swipe up to add your own phone number to the call. Once you’ve added yourself, FaceTime immediately seems to assume it’s an active conference call and begins sending the audio of the person you’re calling"
It’s potentially exploitable on iOS, but a UI issue has so far prevented the exploit from being useful. That’s not to say it couldn’t be exploited in a useful manner, and the vulnerability is still present. Continuing to use an unpatched version on iOS would be high-risk.
> you can send the callee the message the caller gets when the callee answers
This is the exact same type of bug that was in libssh: https://www.nccgroup.trust/uk/our-research/technical-advisor...
"possible to bypass authentication by presenting to the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication"
Also, Apple had a FaceTime bug of very similar nature:
https://www.theverge.com/2019/1/28/18201383/apple-facetime-b...
"you begin calling somebody via FaceTime Video from within the Phone app. Before that person picks up, you can swipe up to add your own phone number to the call. Once you’ve added yourself, FaceTime immediately seems to assume it’s an active conference call and begins sending the audio of the person you’re calling"