Agora.io Video SDK Included Encryption Vulnerability

The McAfee Advanced Threat Research (ATR) team has recently discovered a vulnerability in a video calling SDK provided by Agora.io that could have allowed attackers to join calls uninvited and unannounced. The vulnerable SDK was in use by various connectivity applications.

These reports, as covered by ZDNet, note that this SDK was utilized by the MeetMe, Skout, Nimo TV, temi, and Talkspace applications. McAfee found that the SDK did not encrypt data related to the creation of new calls and that attackers on the same network could intercept call traffic and spy on end-users.

McAfee notified Agora of the issue and the company has issued an updated SDK with improved security. Steve Povolny, Head of Advanced Threat Research at McAfee, told ZDNet that:

“While we don't know which of these apps have implemented the new SDK, we can confirm that Agora has released the SDK and has followed up with its developers to urge them to implement the update.”