A small library that provides audio and video calling capabilities contains a bug that can allow attackers to join audio and video calls without being detected.
The bug —discovered by security firm McAfee, and tracked as CVE-2020-25605— impacts the software development kit (SDK) provided by Agora, a US company specialized in providing real-time communication tools.
Apps that use this SDK for audio and video calling capabilities include the likes of MeetMe, Skout, Nimo TV, temi, Dr. First Backline, Hike, Bunch, and Talkspace.
In a report published today, McAfee says that the Agora SDK does not encrypt details shared during the process of setting up a new call, even if the app has the encryption feature enabled.
Any attacker sitting on the same network as a targeted user can intercept the traffic in the initial phases of a call, extract various call identifiers, and then join the call without being detected.
McAfee said it discovered this issue last year, in April, during a security audit for temi, a personal robot used in retail stores, which also supports audio and video calling.
A subsequent investigation also found clues that this behavior also impacted other apps using the SDK, and the security firm said it notified Agora of its findings.
Steve Povolny, Head of Advanced Threat Research at McAfee, told ZDNet in an email last week that they notified Agore of their findings and that the company responded by releasing a new SDK in December 2020 that was not vulnerable to CVE-2020-25605.
“While we don’t know which of these apps have implemented the new SDK, we can confirm that Agora has released the SDK and has followed up with its developers to urge them to implement the update,” Povolny told ZDNet.
An Agora spokesperson did not return a request for comment.
Agora-based apps have tens of millions of downloads on the Play Store alone; however, McAfee said they found no evidence that the bug was abused in the wild to spy on conversations.