A newly disclosed vulnerability in a software development kit used by a variety of applications and sites allows an attacker to spy on ongoing audio and video calls.

Detailed early Wednesday by security researchers at McAfee LLC’s Advanced Threat Research team, the vulnerability relates to the Agora Inc. Video SDK. The Agora SDK is designed to deliver a “real-time engagement platform for meaningful human connections.”

It’s said to power 40 billion minutes of “human connections” a month. The SDK is used by sites and apps from companies such as eHarmony Inc., Plentyoffish Media LLC, The Meet Group Inc. and Skout, as well as healthcare apps such as Talkspace, Practo Technologies Ptv Ltd. and Dr.First.com Inc.

The vulnerability, officially named CVE-2020-25605, relates to sensitive information sent unencrypted over the Agora Video SDK network. It was first reported to Agora in April 2020, but the company did not update its SDK to address the vulnerability until Dec. 17.

At the core of the issue is the data facilitated by the SDK being sent without any encryption or in the words of the researchers “sensitive call information being sent in plaintext, without a method for developers to extend encryption to the sensitive call information.”

Strangely, Agora offers the ability to encrypt traffic but it was found to not be widely used. “While it is impossible to be certain, one reason might be because the Agora encryption options require a pre-shared key, which can be seen in its example applications posted on GitHub,” the researchers said. “The Agora SDK itself did not provide any secure way to generate or communicate the pre-shared key needed for the phone call and therefore this was left up to the developers.”

Many calling models, the researchers added, are used in applications that enable the user to call anyone without prior contact. “This is difficult to implement into a video SDK post-release since a built-in mechanism for key sharing was not included,” they said. “It is also worth noting that, generally, the speed and quality of a video call is harder to maintain while using encryption.”

The McAfee researchers have no evidence that the vulnerability has been exploited in the wild, but they noted that the situation highlights the importance of encrypted data.

“While the need to protect truly sensitive information such as financial data, health records and other personally identifiable information has long been standardized, consumers are increasingly expecting privacy and encryption for all web traffic and applications,” the researchers concluded. “Furthermore, when encryption is an option provided by a vendor, it must be easy for developers to implement, adequately protect all session information including setup and teardown, and still meet the developers’ many use cases.”

Image: Agora