This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.
On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that
Tested on Workplace for Android version 362.0.0.29.109. This approach might work in other Facebook/Meta applications. Thank you Imre Rad for helping me analyze the binary.
The Workplace Android app uses the Fizz open source TLS-1.3 library to communicate with the backend APIs. This library is written in C++, and is compiled to native code. It is running as a native library attached to the Android app.
The certificate verification is implemented in fizz/client/ClientProtocol.cpp, on line 1944.
The easiest way to bypass this check is to patch the if (state.verifier()) { check on line 1942.
A small multi-threaded C++ library (so, does not include any main) compiled with emscripten and pthread running under the main thread in the browser, a web worker or using node.js.
Note: Emscripten will produce lib.js.
Running this lib in the main thread is fine but, obviously, block the main thread. Running it using a web worker leads no error with modification of the worker script (see below)
Run fine except that it prevents Node app from ever exiting.