Security News > 2021 > February > SDK Bug Lets Attackers Spy on User’s Video Calls Across Dating, Healthcare Apps
A vulnerability in an SDK that allows users to make video calls in apps like eHarmony, Plenty of Fish, MeetMe and Skout allows threat actors to spy on private calls without the user knowing.
Healthcare apps such as Talkspace, Practo and Dr. First's Backline, among various others, also use the SDK for their call technology.
The flaw makes it easy for third parties to access details about setting up video calls from within the SDK across various apps due to their unencrypted, cleartext transmission.
Upon examination of the Agora video SDK, researchers discovered that it allows information to be sent in plaintext across the network to initiate a video call.
While developers do have the option in the Agora SDK to encrypt the call, key details about the calls are still sent in plaintext, allowing attackers to acquire these values and use the ID of the associated app "To host their own calls at the cost of the app developer," McKee explained.
If developers encrypt calls using the SDK, attackers can't view video or hear audio of the call, he said.
News URL
https://threatpost.com/sdk-bug-spy-calls-dating-healthcare-apps/164068/