A newly disclosed vulnerability in a software development kit used by a variety of applications and sites allows an attacker to spy on ongoing audio and video calls.
Detailed early Wednesday by security researchers at McAfee LLC’s Advanced Threat Research team, the vulnerability relates to the Agora Inc. Video SDK. The Agora SDK is designed to deliver a “real-time engagement platform for meaningful human connections.”
Complaint against Plenty Of Fish - PlentyOfFish Media ULC, PO Box 25472, Dallas, Texas, United States for Commercial / Other dispute - PeopleClaim - 3098833. The best phone number and way to avoid the wait on hold, available live chat options, and the best ways overall to contact Plentyoffish in an easy-to-use summary, as well as a full comparison of the 3 ways to reach Plentyoffish, compared by speed and customer recommendations. Complaint against Plenty Of Fish - PlentyOfFish Media ULC, PO Box 25472, Dallas, Texas, United States for Commercial / Other dispute - PeopleClaim - 3098833. AS54652 Plentyoffish Media Inc BGP Network is based in Canada and peers with 4 other ISPs.
It’s said to power 40 billion minutes of “human connections” a month. The SDK is used by sites and apps from companies such as eHarmony Inc., Plentyoffish Media LLC, The Meet Group Inc. and Skout, as well as healthcare apps such as Talkspace, Practo Technologies Ptv Ltd. and Dr.First.com Inc.
The vulnerability, officially named CVE-2020-25605, relates to sensitive information sent unencrypted over the Agora Video SDK network. It was first reported to Agora in April 2020, but the company did not update its SDK to address the vulnerability until Dec. 17.
At the core of the issue is the data facilitated by the SDK being sent without any encryption or in the words of the researchers “sensitive call information being sent in plaintext, without a method for developers to extend encryption to the sensitive call information.”
Strangely, Agora offers the ability to encrypt traffic but it was found to not be widely used. “While it is impossible to be certain, one reason might be because the Agora encryption options require a pre-shared key, which can be seen in its example applications posted on GitHub,” the researchers said. “The Agora SDK itself did not provide any secure way to generate or communicate the pre-shared key needed for the phone call and therefore this was left up to the developers.”
Many calling models, the researchers added, are used in applications that enable the user to call anyone without prior contact. “This is difficult to implement into a video SDK post-release since a built-in mechanism for key sharing was not included,” they said. “It is also worth noting that, generally, the speed and quality of a video call is harder to maintain while using encryption.”
The McAfee researchers have no evidence that the vulnerability has been exploited in the wild, but they noted that the situation highlights the importance of encrypted data.
“While the need to protect truly sensitive information such as financial data, health records and other personally identifiable information has long been standardized, consumers are increasingly expecting privacy and encryption for all web traffic and applications,” the researchers concluded. “Furthermore, when encryption is an option provided by a vendor, it must be easy for developers to implement, adequately protect all session information including setup and teardown, and still meet the developers’ many use cases.”
We are holding our second cloud startup showcase on June 16. Click here to join the free and open Startup Showcase event.
We really want to hear from you. Thanks for taking the time to read this post. Looking forward to seeing you at the event and in theCUBE Club.