Agora SDK Bug Left Several Video Calling Apps Vulnerable to Snooping

2021-02-17 05:29

A severe security vulnerability in a popular video calling software development kit could have allowed an attacker to spy on ongoing private video and audio calls.

That's according to new research published by the McAfee Advanced Threat Research team today, which found the aforementioned flaw in Agora.io's SDK used by several social apps such as eHarmony, Plenty of Fish, MeetMe, and Skout; healthcare apps like Talkspace, Practo, and Dr. First's Backline; and in the Android app that's paired with "Temi" personal robot.

California-based Agora is a video, voice, and live interactive streaming platform, allowing developers to embed voice and video chat, real-time recording, interactive live streaming, and real-time messaging into their apps.

"Agora's SDK implementation did not allow applications to securely configure the setup of video/audio encryption, thereby leaving a potential for hackers to snoop on them," the researchers said.

Specifically, the function responsible for connecting an end-user to a call passed parameters such as App ID and authentication token parameter in plaintext, thereby allowing an attacker to abuse this shortcoming to sniff network traffic so as to gather call information and subsequently launch their own Agora video application to dial into calls without the attendees' knowledge stealthily.

It's highly recommended that developers using Agora SDK upgrade to the latest version to mitigate the risk.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/ZPUVDvxR8ps/agora-sdk-bug-left-several-video.html

#SDK