Data leak vulnerabilities patched in Fuze TPN portal

The bugs allowed sensitive user information and credentials to be stolen, as well as network traffic capture.
Written by Charlie Osborne, Contributing Writer

Fuze has patched a series of vulnerabilities which placed user data and networks at risk.


Researchers from Rapid7 disclosed the security flaws on Tuesday. In a security advisory, the company said the three issues at hand relate to access controls and authentication in the TPN Handset Portal, which is part of the Fuze platform.

Fuze is a voice, messaging and collaboration platform designed for the enterprise. The majority of Fuze's services are delivered as web-based SaaS components, but there are also endpoint apps for desktop and mobile on offer.

As the client base is corporations, any security flaw can have real consequences for users, and so Rapid7 has acknowledged the rapid patching of the three bugs below as a testament to good security practices.

The first vulnerability, R7-2017-07.1 (CWE-284(), is described as an improper access control issue. According to Rapid7, an unauthenticated attacker is able to remotely establish and list the MAC addresses associated with the registered handsets of Fuze users.

By harnessing this information, attackers are then able to craft a URL which displays user Fuze phone numbers, email addresses, parent account names, and locations, as well as a link to the admin interface. In addition, the information is returned via HTTP and so authentication is not required.

The second bug, R7-2017-07.2, (CWE-319) involves the transmission of sensitive information over cleartext. The administrative URL revealed by the exploit of the first security flaw asks for a password over an unencrypted HTTP connection, and so an attacker with privileges on the network is then able to capture this traffic.

The third problem, R7-2017-07.3, ( CWE-307) is based on the improper restriction of excessive authentication attempts. In other words, authentication requests to the administration portal are not rate-limited, which gives attackers the option of using brute-force attacks to grab user credentials.

The bugs were first discovered by a Rapid7 user on 12 April. After being verified, the details of the vulnerabilities were then passed along to Fuze on 25 April.

By 29 April the platform had patched the first bug and several weeks later, the final two security flaws were also fixed, leading to public disclosure on 22 August.

R7-2017-07.1 was fixed by requiring password authentication when accessing the TPN portal, and R7-2017-07.2 was remedied by encrypting traffic streams to the portal. In order to resolve R7-2017-07.3, Fuze now rate-limits authentication attempts to the admin portal.

"While the exposure was a limited set of customer data, Fuze took immediate action upon receiving notification by Rapid7, and remediated the vulnerabilities with its handset provisioning service, in full, within two weeks," said Chris Conry, CIO of Fuze. "Fuze has no evidence of any bad actors exploiting this vulnerability to compromise customer data. Fuze is grateful to Rapid7 for its continued partnership in responsibly sharing security information, and believes in its larger mission to normalize the vulnerability disclosure process across the entire software industry."

As Fuze has fixed the issues through server updates, customers do not need to do anything, and there are no current reports of the bugs being exploited in the wild.

Related coverage

10 things you didn't know about the Dark Web

Editorial standards