/>
X

Fuze flaw exposed private business meetings to eavesdroppers

The security vulnerability in the business software allowed attackers to access recorded conversations.
charlie-osborne.jpg
Written by Charlie Osborne, Contributor on
black-vine-header-imagecredsymantec.jpg
Symantec

A security flaw in the Fuze business collaboration platform has been patched which exposed corporate meeting recordings.

Fuze is a meeting and collaboration platform designed for enterprise users. The service offers voice and messaging systems, HD audio and group content sharing, analytics, and enterprise application integration.

However, according to security researchers from Rapid7, a vulnerability, CWE-284, potentially compromised the security of business communication on the platform.

The platform weakness was caused by two major issues. The first problem is that the Fuze platform did not require authentication from users to access meeting recordings, which are saved to the firm's cloud hosting service.

They could be accessed due to the use of URLs which included a seven-digit number that increments over time and could be brute-forced without too much trouble.

By guessing a relay ID which Rapid7's Samuel Huckins calls "reasonably close" to the intended target, a brute-force attack would quickly find the right code.

The second issue encompassed both the format and lack of authentication protocols which also allowed eavesdroppers to simply find recordings through search engines such as Google.

After being made aware of the issue on 27 February, the enterprise communication platform was quick to jump on the issue and triage the bug.

Fuze disabled public access to meeting recordings on 1 March, and nine days later, a patch was issued which added authentication controls to the Fuze endpoint client. Recordings that were already shared and potentially compromised were also reviewed.

All meeting recordings now require a password, and the strictness of these controls can be configured by users themselves.

"Security is a top priority for Fuze and we appreciate Rapid7 identifying this issue and bringing it to our attention," Fuze said in a statement. "When we were informed by the Rapid7 team of the issue, we took immediate action and have resolved the problem."

Rapid7 and CERT/CC decided not to issue a CVE number for this vulnerability as the problem was primarily on Fuze servers.

The best business gadgets of CES 2017

Related

FBI and NSA say: Stop doing these 10 things that let the hackers in
getty-a-stressed-man-at-a-computer-in-a-dark-office.jpg

FBI and NSA say: Stop doing these 10 things that let the hackers in

Security
Why you should install iOS 15.5 now
ios-15.png

Why you should install iOS 15.5 now

iOS
NASA is investigating this 'mystery' data coming from Voyager 1
voyager-illustration-with-stars-16-width-1320.jpg

NASA is investigating this 'mystery' data coming from Voyager 1

Networking