A severe security vulnerability in a popular video calling software development kit (SDK) could have allowed an attacker to spy on ongoing private video and audio calls.
That’s according to new research published by the McAfee Advanced Threat Research (ATR) team today, which found the aforementioned flaw in Agora.io’s SDK used by several social apps such as eHarmony, Plenty of Fish, MeetMe, and Skout; healthcare apps like Talkspace, Practo, and Dr. First’s Backline; and in the Android app that’s paired with “temi” personal robot.
California-based Agora is a video, voice, and live interactive streaming platform, allowing developers to embed voice and video chat, real-time recording, interactive live streaming, and real-time messaging into their apps. The company’s SDKs are estimated to be embedded into mobile, web, and desktop applications across more than 1.7 billion devices globally.
McAfee disclosed the flaw (CVE-2020-25605) to Agora.io on April 20, 2020, following which the company released a new SDK on December 17, 2020, to remediate the threat posed by the vulnerability.
The security weakness, which is the consequence of incomplete encryption, could have been leveraged by bad actors to launch man-in-the-middle attacks and intercept communications between two parties.
images from Hacker News