SDK Bug Lets Attackers Spy on User’s Video Calls Across Dating, Healthcare Apps
upstart writes in with an IRC submission:
SDK Bug Lets Attackers Spy on User's Video Calls Across Dating, Healthcare Apps:
A vulnerability in an SDK that allows users to make video calls in apps like eHarmony, Plenty of Fish, MeetMe and Skout allows threat actors to spy on private calls without the user knowing.
Researchers discovered the flaw, CVE-2020-25605, in a video-calling SDK from a Santa Clara, Calif.-based company called Agora while doing a security audit last year of personal robot called "temi," which uses the toolkit.
Agora provides developer tools and building blocks for providing real-time engagement in apps, and documentation and code repositories for its SDKs are available online. Healthcare apps such as Talkspace, Practo and Dr. First's Backline, among various others, also use the SDK for their call technology.
[...] Due to its shared use in a number of popular apps, the flaw has the potential to affect "millions-potentially billions-of users," reported Douglas McKee, principal engineer and senior security researcher at McAfee Advanced Threat Research (ATR), on Wednesday.
McKee said he did not find evidence of the bug is being exploited in the wild.
The flaw makes it easy for third parties to access details about setting up video calls from within the SDK across various apps due to their unencrypted, cleartext transmission. This paves the way for remote attackers to "obtain access to audio and video of any ongoing Agora video call through observation of cleartext network traffic," according to the vulnerability's CVE description.
Researchers reported this research to Agora.io on April 20, 2020. The flaw remained unpatched for about eight months until Dec. 17, 2020 when the company released a new SDK, version 3.2.1, "which mitigated the vulnerability and eliminated the corresponding threat to users," McKee said.
Read more of this story at SoylentNews.