Beyond Clubhouse: Vulnerable Agora SDKs Still in Widespread Use

By , and on Feb 18, 2021

On February 17th, 2021, McAfee disclosed findings based on a 10-month long disclosure process with major video conferencing vendor Agora, Inc.  As we disclosed the findings to Agora in April 2020, this lengthy disclosure timeline represents a nonstandard process for McAfee but was a joint agreement with the vendor to allow sufficient time for the development and release of a secure SDK. The release of the SDK mitigating the vulnerability took place on December 17th, 2020. Given the implications of snooping and spying on video and audio calls, we felt it was important to provide Agora the extended disclosure time. The affected users of Agora include popular voice and video messaging apps, with one notable application being the popular new iOS app known as Clubhouse.

 


Clubhouse Application Screenshot

Clubhouse has made headlines recently as one of the newest players in the social networking sphere, rising in popularity after a series of high-profile users including Elon Musk, Kanye West and influencers in various geographies posted about the platform. Released in April of 2020, Clubhouse quickly carved out a niche in Chinese social media as the platform to discuss sensitive social and political topics – perhaps aided by its invite-only approach to membership – and the spotlight shined on it by these key players further propelled it into viral status early this year. Perhaps unsurprisingly, the application was blocked for use in China on February 8th, 2021.

Last week, Stanford Internet Observatory (SIO) released research regarding the popular Clubhouse app’s use of Agora real-time engagement software and suggested that Agora could have provided the Chinese government access to Clubhouse user information and communications.  While the details of Stanford’s disclosure focus on the audio SDK compared to our work on the video SDK, the functionality and flaw are similar to our recent disclosure, CVE-2020-25605.  This includes the plaintext transmission of app ID, channel ID and token – credentials necessary to join either audio or video calls. We can confirm that Clubhouse updated to the most recent version of the Agora SDK on February 16th – just a day prior to our public disclosure.

Despite the recent noise surrounding Clubhouse, the reality is that this application is just one of many applications that leverage the Agora SDK. Among others, we investigated the social apps eHarmony, Skout, and MeetMe, along with several widely-used healthcare apps, some of which have a significantly larger user base. For example, MeetGroup (comprised of several apps) reported approximately 18 million monthly users compared to Clubhouse, which had approximately 600k total users as of December 2020.

We felt it was important to highlight these data points and are continuing to investigate these applications as well as monitor any potential instances of malicious actors exploiting this vulnerability. Given that Agora has released an updated SDK that fixes the call setup issues, vulnerable applications should have already switched to the secure calling SDK, thus protecting the sensitive audio and video call data as many claim to do. With that in mind, we decided to check back in with some of the Agora-based apps we previously investigated to confirm whether they had updated to the patched version. We were surprised to see many, as of February 18, 2020, still had not:

App Name Installs App Version App Version Date Updated Agora SDK
MeetMe 50,000,000+ 14.24.4.2910 2/9/2021 Yes
LOVOO 50,000,000+ 93.0 2/15/2021 No
Plenty of Fish 50,000,000+ 4.36.0.1500755 2/5/2021 No
SKOUT 50,000,000+ 6.32.0 2/3/2021 Yes
Tagged 10,000,000+ 9.32.0 12/29/2020 No
GROWLr 1,000,000+ 16.1.1 2/11/2021 No
eharmony 5,000,000+ 8.16.2 2/5/2021 Yes
Clubhouse 2,000,000+ 0.1.2.8 2/16/2021 Yes
Practo 5,000,000+ 4.93 1/26/2021 No

With the context around censorship and basic privacy concerns, it will be interesting to see if these and many other apps using the vulnerable SDK update quickly, or even ever, and what kind of lasting effects these types of findings have on users’ trust and confidence in social media platforms.

For more on McAfee ATR’s research into the Agora SDK, please see our technical research blog.

For information on how users can protect themselves when using such apps, please see our consumer safety tips blog.

About the Author

Steve Povolny

Steve Povolny is the Head of Advanced Threat Research for McAfee Enterprise, which delivers groundbreaking vulnerability research spanning nearly every industry. With more than a decade of experience in network security, Steve is a recognized authority on hardware and software vulnerabilities, and regularly collaborates with influencers in academia, government, law enforcement, consumers and enterprise businesses ...

Read more posts from Steve Povolny

Douglas McKee

Douglas McKee is a Principal Engineer and Senior Security Researcher for the Advanced Threat Research team, focused on finding new vulnerabilities in both software and hardware. Douglas has an extensive background in vulnerability research, penetration testing, reverse engineering, malware analysis, and forensics and throughout his career has provided software exploitation training to many audiences, including ...

Read more posts from Douglas McKee

Mark Bereza

Mark Bereza is a Security Researcher and recent addition to McAfee's Advanced Threat Research team. An alumnus of Oregon State University's CS systems program, Mark's work has focused on vulnerability discovery and exploit development for embedded systems.

Read more posts from Mark Bereza

Categories: McAfee Labs

Subscribe to McAfee Securing Tomorrow Blogs