While developers do have the option in the Agora SDK to encrypt the call, key details about the calls are still sent in plaintext, allowing attackers to acquire these values and use the ID of the associated app “to host their own calls at the cost of the app developer,” McKee explained. In this way researchers were able to sniff network traffic to gather information pertaining to a call of interest and then launch their own Agora video applications to join the call, “completely unnoticed by normal users,” McKee wrote. “This was done by reviewing the video call traffic and reverse-engineering the protocol,” he said.
#Agora video call web code#
ATR achieved this by building a network layer in less than 50 lines of code using a Python framework called Scapy “to help easily identify the traffic the attacker cares about,” McKee explained. The first step for an attacker to exploit the vulnerability is to identify the proper network traffic he or she wants to target. Further, threat actors can hijack key details about calls being made from within apps even if encryption is enabled on the app, he said.
#Agora video call web series#
What they discovered through a series of steps is that they can, a scenario that affects various apps using the SDK, according to McKee. SDK Bug Allows Attackers to Circumvent Encryption They then ran tests using sample apps from Agora to see if third parties could leverage this scenario to spy on a user. Upon examination of the Agora video SDK, researchers discovered that it allows information to be sent in plaintext across the network to initiate a video call.
Upon further exploration, they found a connection to the Agora SDK through “detailed logging” by developers to the Agora.io dashboard, McKee said.
#Agora video call web android#
Researchers first were alerted to an issue when, during their analysis of the temi ecosystem, they found a hardcoded key in the Android app that pairs with the temi robot. 17, 2020 when the company released a new SDK, version 3.2.1, “which mitigated the vulnerability and eliminated the corresponding threat to users,” McKee said. The flaw remained unpatched for about eight months until Dec. Researchers reported this research to Agora.io on April 20, 2020. This paves the way for remote attackers to “obtain access to audio and video of any ongoing Agora video call through observation of cleartext network traffic,” according to the vulnerability’s CVE description. The flaw makes it easy for third parties to access details about setting up video calls from within the SDK across various apps due to their unencrypted, cleartext transmission. McKee said he did not find evidence of the bug is being exploited in the wild. SDK Bug Could Have Impacted Millionsĭue to its shared use in a number of popular apps, the flaw has the potential to affect “millions–potentially billions–of users,” reported Douglas McKee, principal engineer and senior security researcher at McAfee Advanced Threat Research (ATR), on Wednesday. First’s Backline, among various others, also use the SDK for their call technology. Healthcare apps such as Talkspace, Practo and Dr.
Researchers discovered the flaw, CVE-2020-25605, in a video-calling SDK from a Santa Clara, Calif.-based company called Agora while doing a security audit last year of personal robot called “temi,” which uses the toolkit.Īgora provides developer tools and building blocks for providing real-time engagement in apps, and documentation and code repositories for its SDKs are available online. A vulnerability in an SDK that allows users to make video calls in apps like eHarmony, Plenty of Fish, MeetMe and Skout allows threat actors to spy on private calls without the user knowing.
0 kommentar(er)
