Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday February 18 2021, @08:34PM   Printer-friendly
from the watching-the-watchers dept.

SDK Bug Lets Attackers Spy on User's Video Calls Across Dating, Healthcare Apps:

A vulnerability in an SDK that allows users to make video calls in apps like eHarmony, Plenty of Fish, MeetMe and Skout allows threat actors to spy on private calls without the user knowing.

Researchers discovered the flaw, CVE-2020-25605, in a video-calling SDK from a Santa Clara, Calif.-based company called Agora while doing a security audit last year of personal robot called "temi," which uses the toolkit.

Agora provides developer tools and building blocks for providing real-time engagement in apps, and documentation and code repositories for its SDKs are available online. Healthcare apps such as Talkspace, Practo and Dr. First's Backline, among various others, also use the SDK for their call technology.

[...] Due to its shared use in a number of popular apps, the flaw has the potential to affect "millions–potentially billions–of users," reported Douglas McKee, principal engineer and senior security researcher at McAfee Advanced Threat Research (ATR), on Wednesday.

McKee said he did not find evidence of the bug is being exploited in the wild.

The flaw makes it easy for third parties to access details about setting up video calls from within the SDK across various apps due to their unencrypted, cleartext transmission. This paves the way for remote attackers to "obtain access to audio and video of any ongoing Agora video call through observation of cleartext network traffic," according to the vulnerability's CVE description.

Researchers reported this research to Agora.io on April 20, 2020. The flaw remained unpatched for about eight months until Dec. 17, 2020 when the company released a new SDK, version 3.2.1, "which mitigated the vulnerability and eliminated the corresponding threat to users," McKee said.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0) by Anonymous Coward on Thursday February 18 2021, @08:38PM (3 children)

    by Anonymous Coward on Thursday February 18 2021, @08:38PM (#1114587)

    Just as unexpectedly for some people.

    • (Score: 0) by Anonymous Coward on Thursday February 18 2021, @08:55PM (2 children)

      by Anonymous Coward on Thursday February 18 2021, @08:55PM (#1114592)

      Well, the company IS called Agora, which is Greek for “marketplace.” A good reason to not patch the libraries for 8 months after the flaw was detected.

      • (Score: 0) by Anonymous Coward on Thursday February 18 2021, @09:52PM (1 child)

        by Anonymous Coward on Thursday February 18 2021, @09:52PM (#1114612)

        What do you mean, "a flaw"?

        • (Score: 0) by Anonymous Coward on Friday February 19 2021, @12:05AM

          by Anonymous Coward on Friday February 19 2021, @12:05AM (#1114666)
          As Nixon said, plausible deniability.
  • (Score: 0) by Anonymous Coward on Thursday February 18 2021, @11:09PM (3 children)

    by Anonymous Coward on Thursday February 18 2021, @11:09PM (#1114652)

    The flaw makes it easy for third parties to access details about setting up video calls from within the SDK across various apps due to their unencrypted, cleartext transmission

    This piss poor attitude towards security was all well and good when the internet was new and people were still learning how to make it work. But in today's market any development that doesn't start on a solid framework of security should be penalized into oblivion. That includes just sucking in what ever framework gets the job done. If you wrote it you should be responsible for every line of code that went into the making of it.

    It's time we got past this dark age of "just make it work, we'll fix the security later".

    • (Score: 0) by Anonymous Coward on Thursday February 18 2021, @11:32PM (2 children)

      by Anonymous Coward on Thursday February 18 2021, @11:32PM (#1114659)

      But muh VC money and IPO, bro...

      • (Score: 1, Insightful) by Anonymous Coward on Thursday February 18 2021, @11:42PM (1 child)

        by Anonymous Coward on Thursday February 18 2021, @11:42PM (#1114661)

        Two companies one ships the other is still farfing around around with 'security'.

        One makes money the other ran out. One can buy a couple of congress critters to make the problem 'go away'. The other is looking for a job.

        That is the way of it. Sorry you do not like it. But it is true.

        • (Score: 2, Interesting) by Anonymous Coward on Friday February 19 2021, @12:13AM

          by Anonymous Coward on Friday February 19 2021, @12:13AM (#1114667)

          And that Mentality ("the" Mentality, I'm not implying "your mentality") is why this country is going down the shitter. All people care about is consume, consume, consume; as soon as the thing they bought is brought home, they're bored with it already and want a new gizmo. Those things that manage to retain their attention for more than 5 minutes break after 6 minutes because they're made like crap with every component being supplied by the lowest bidder.

          I have things from the 80s that still work, how much of today's stuff will be around 3 years from now?

  • (Score: 2) by looorg on Friday February 19 2021, @01:12AM

    by looorg (578) on Friday February 19 2021, @01:12AM (#1114681)

    Every good dating sites need some creepy stalkers. Since its in the SDK I guess its a feature with that in mind.

  • (Score: -1, Spam) by Anonymous Coward on Friday February 19 2021, @01:30AM

    by Anonymous Coward on Friday February 19 2021, @01:30AM (#1114688)
(1)