"SDK Bug Lets Attackers Spy on User’s Video Calls Across Dating, Healthcare Apps"
Researchers from McAfee Advanced Threat Research (ATR) discovered a flaw (CVE-2020-25605) in a video-calling SDK from a Santa Clara, Calif.-based company called Agora while doing a security audit last year of a personal robot called “temi,” which uses the Agora toolkit. Agora provides developer tools and building blocks for providing real-time engagement in apps. Healthcare apps such as Talkspace, Practo, and Dr. First’s Backline, among various other types of apps, use the SDK for their call technology. Due to its shared use in many popular apps, the flaw has the potential to affect “millions–potentially billions–of users,” the researchers stated. The researchers did not find evidence of the bug being exploited in the wild. The flaw makes it easy for third parties to access details about setting up video calls from within the SDK across various apps due to their unencrypted, cleartext transmission. This paves the way for remote adversaries to access audio and video of any ongoing Agora video call by observing cleartext network traffic. The Researchers reported this research to Agora.io on April 20, 2020. The flaw remained unpatched for about eight months until December 17, 2020, when the company released a new SDK, version 3.2.1, which mitigated the vulnerability and eliminated the corresponding threat to users.