Vulnerability in Agora SDK Allowed to Spy on Private Video Call


Experts from McAfee Advanced Threat Research (ATR) have reported a dangerous vulnerability in a popular development kit (SDK) used in a number of video calling applications, which provided the ability to covertly monitor private video and audio calls.


This is an SDK produced by the American company Agora.io, used by numerous applications, including eHarmony, Plenty of Fish, MeetMe, Skout Talkspace, and Practo. The vulnerability discovered in the Agora SDK (CVE-2020-25605) is related to weak encryption and could be exploited by cybercriminals to carry out man-in-the-middle attacks and intercept communications between dialogue participants.


As the experts explained, the Agora SDK implementation did not allow applications to securely configure audio and video encryption settings. In particular, the function responsible for connecting the end user to the call transmitted parameters (such as App ID and authentication tokens) in an unencrypted form, which allowed an attacker to intercept traffic, collect information and launch his Agora application to secretly connect to calls.


Experts informed Agora.io about the found vulnerability in April 2020, the problem was fixed eight months later - in December 2020 with the release of version 3.2.1. There is currently no evidence that CVE-2020-25605 has been exploited in actual attacks, however developers using the Agora SDK are strongly encouraged to update to the patched version of the product.

Previous Post Next Post