McAfee Advanced Threat Research (ATR) team uncovered a critical security vulnerability in Agora, a video calling software development kit (SDK), which could allow an attacker to spy on ongoing video and audio calls. Agora is a video, audio, and live interactive streaming platform used by many social media applications like eHarmony, MeetMe, Plenty of Fish, and Skout, along with health care apps like Talkspace, Practo, and Dr. First’s Backline.
Agora allows app developers to embed voice and video chat, live streaming, real-time recording, and messaging into their applications. It is estimated that Agora’s SDKs are deployed on more than 1.7 billion devices globally.
The flaw, CVE-2020-25605, transmits cleartext of users’ sensitive information in Agora’s SDK (before 3.1 version) allowing a remote attacker to obtain access to audio and video of any ongoing Agora video call through observation of cleartext network traffic. Upon successful exploitation, the vulnerability could allow threat actors to launch Man-in-the-Middle Attacks (MITM), which occur when a perpetrator stealthily alters the communications between two unwitting users or a user and an application.
While there is no information on whether the vulnerability is being exploited in the wild, McAfee alerted Agora about the vulnerability. As a response, the company released a new SDK (version 3.2.1), which mitigated the vulnerability and eliminated the potential risks to users.
“Agora’s SDK implementation did not allow applications to securely configure the setup of video/audio encryption, thereby leaving a potential for hackers to snoop on them. In the world of online dating, a breach of security or the ability to spy on calls could lead to blackmail or harassment by an attacker. Other Agora developer applications with smaller customer bases, such as the temi robot, are used in numerous industries such as hospitals, where the ability to spy on conversations could lead to the leak of sensitive medical information,” McAfee said.