Saturday, October 16, 2021

Bug in a shared SDK may allow attackers to join calls undetected across multiple apps

Must Read

Attacks Maybe about to Make even more Harmful and Tumultuous

Cybercriminals continue to be successfully running ransomware campaigns while requiring higher ransoms than ever - and things might be...

BugTraq security mailing list closes after 27 years

BugTraq was launched in November 1993 and was one of the first mailing lists dedicated to exposing weaknesses.BugTraq, one...

Vulnerabilities in Atlassian domains Could takeover Any Atlassian Account

Vulnerabilities that could allow XSS, CSRF and one-click account takeovers in Atlassian subdomains have been patched.Atlassian, a platform used...

A small library that provides audio and video call capabilities contain a bug that allows attackers to join audio and video calls without being detected.

The bug – detected by security company McAfee and tracked as CVE-2020-25605 – affects the software development kit (SDK) provided by Agora, a US company specializing in delivering real-time communication tools.

Applications that use this SDK for audio and video streaming capabilities include MeetMe, Skout, Nimo TV, Temi, Dr. First Backline, Hike, Bunch, and Talkspace.

In a report published today, McAfee states that the Agora SDK does not encrypt data shared during the new call process, even if the app has enabled encryption functionality.

Any attacker stationed on the same network as the target user can disconnect traffic in the first stages of the call, extract various call identifiers, and join the call without being detected.

McAfee said the matter came to light last year, in April, during a three-way security study, a personal robot used in retail stores supporting audio and video calling.

Subsequent investigations have found indications that this behavior has affected other applications using the SDK, and the security company said it had informed Agora of its findings.

Steve Povolny, Head of Advanced Threat Research at McAfee, said they informed Agore of their findings and that the company responded by releasing a new SDK in December 2020 that was not at risk for CVE-2020-25605.

“While we do not know which of these applications used the new SDK, we can confirm that the Agora has released the SDK and followed its developers to urge them to use what is being developed,” Povolny said.

Bug in a shared SDK may allow attackers to join calls undetected across multiple apps

An Agora spokesman did not return a request for comment.

Agora-based apps have tens of millions of downloads in the Google Play Store alone; however, McAfee said they found no evidence that the insect had been disturbed in the wild to examine the conversations.

Vulnerability Details

  • CVE: CVE-2020-25605
  • CVSSv3 Rating: 7.5/6.7
  • CVSS String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
  • CVE Description: Cleartext transmission of sensitive information in Agora Video SDK prior to 3.1 allows a remote attacker to obtain access to audio and video of any ongoing Agora video call through observation of cleartext network traffic.
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Unified endpoint management automation software to boost endpoint security

Endpoints are constantly connected to the internet, so they offer a gateway for cyberattacks. Endpoint security is simply the process...

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft also revealed the workings of...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

More Articles Like This