Fuze flaw exposed private business meetings to eavesdroppers
A security flaw in the Fuze business collaboration platform has been patched which exposed corporate meeting recordings.
Fuze is a meeting and collaboration platform designed for enterprise users. The service offers voice and messaging systems, HD audio and group content sharing, analytics, and enterprise application integration.
However, according to security researchers from Rapid7, a vulnerability, CWE-284, potentially compromised the security of business communication on the platform.
The platform weakness was caused by two major issues. The first problem is that the Fuze platform did not require authentication from users to access meeting recordings, which are saved to the firm's cloud hosting service.
They could be accessed due to the use of URLs which included a seven-digit number that increments over time and could be brute-forced without too much trouble.
By guessing a relay ID which Rapid7's Samuel Huckins calls "reasonably close" to the intended target, a brute-force attack would quickly find the right code.
The second issue encompassed both the format and lack of authentication protocols which also allowed eavesdroppers to simply find recordings through search engines such as Google.
After being made aware of the issue on 27 February, the enterprise communication platform was quick to jump on the issue and triage the bug.
Fuze disabled public access to meeting recordings on 1 March, and nine days later, a patch was issued which added authentication controls to the Fuze endpoint client. Recordings that were already shared and potentially compromised were also reviewed.
All meeting recordings now require a password, and the strictness of these controls can be configured by users themselves.
"Security is a top priority for Fuze and we appreciate Rapid7 identifying this issue and bringing it to our attention," Fuze said in a statement. "When we were informed by the Rapid7 team of the issue, we took immediate action and have resolved the problem."
Rapid7 and CERT/CC decided not to issue a CVE number for this vulnerability as the problem was primarily on Fuze servers.