An acute security flaw in Agora SDK would have given hackers access to snoop around ongoing user-private audio and video calls.
According to recent reports released by McAfee Advanced Threat Research (ATR), the security bug was discovered in Agora.io’s Software Development Kit (SDK) which is integrated by multiple social apps like MeetMe, eHarmony, Plenty of Fish, and Skout.
Apps in the healthcare sectors like Talkspace, Practo, and Dr. First’s Backline, Practo, and Talkspace as well as an Android app which is paired with the ‘temi’ robot.
Agora.io is a real-time audio and video engagement platform which is based in California. Developers utilize Agora.io to integrate real-time messaging, audio and video chatting, mutual live streaming as well as recording into respective apps.
Agora SDKs are evaluated to be integrated into mobile, web, and desktop applications across more than 1.6 billion devices on a global scale.
McAfee ATR uncovered the security flaw before Agora.io back in April 2020. In response to the revelation, Agora.io released a patched version of the SDK on December 17, 2020, to rectify the vulnerabilities that could have been exploited by bad actors.
The security flaw, which is suspected to be an outcome of fragmentary encryption, could have been exploited and abused by threat actors to initiate MITM attacks and seize communication between two users.
Experts are of the opinion that Agora.io’s SDK implementation did not allow systems and applications to have secure configurations of audio and video encryption setup and leaves them susceptible to cyberthreats and cyberattacks.
It’s strongly encouraged that developers embedding the Agora SDK upgrade to the latest version to alleviate the vulnerabilities.
The function which was responsible for hitching an end-user to a call, passed parameters like App ID and authentication token parameter in plaintext. This could have permitted a hacker to abuse the security flaw easily to snoop around network traffic and gather call data.
Thereafter, hackers could have launched their own Agora embedded audio/video application to dial into calls unbeknownst to the attendee.
Currently, observations seem to be void of any evidence confirming that the security flaw was even detected much less exploited.
However, the matter does highlight the necessity to patch security flaws and enhance the overall cybersecurity to protect user privacy.