Skip to main content

Vulnerability in Cisco Webex and Zoom may expose online meetings to snooping

 

Cequence Security’s CQ Prime Threat Research Team discovered of a vulnerability in Cisco Webex and Zoom video conferencing platforms that potentially allows an attacker to enumerate or list and view active meetings that are not protected.


The web conferencing market includes nearly three dozen vendors, some of whom may use similar meeting identification techniques. Although the CQ Prime team did not test each of these products, it is possible they could be susceptible as well.

Prying-Eye vulnerability

The Prying-Eye vulnerability is an example of an enumeration attack that targets web conferencing APIs with a bot that cycles through (enumerates) and discovers valid numeric meeting IDs. If the common user practice of disabling security functionality or not assigning a password is followed, then the bad actor would be able to view or listen to an active meeting. If a user has chosen the option of configuring a personal meeting ID to simplify meeting management, a bad actor can store that information for future snooping activity.
“The Cequence finding highlights the fact that APIs are a growing attack surface and that APIs can be exploited when not properly secured. Organizations are struggling to figure out how to protect their APIs and often use the wrong technology to secure them, such as API gateways, web application firewalls or nothing at all. With Akamai recently announcing that 82% of their CDN traffic is API traffic, and with the average organization running over 600 APIs, there’s a clear and present danger with APIs that organizations need to address,” said Alissa Knight, Senior Analyst with Aite Group.

Enumeration attacks

Any application, not just video conferencing, that uses numeric, or alpha-numeric identifiers, is susceptible to an enumeration attack technique. The fact that web conferencing end users have a tendency to either disable or ignore security functionality for whatever reason has significant business ramifications.
“Security of all types, from traditional network level to user best practices, is an increasingly high priority for corporate boards and ensuring web conferences are secure should be common practice. As a board member, if for example we are reviewing quarterly financials and future looking forecasts with the executive team and the meeting is compromised due to a vulnerability like this, a bad actor would be able to eavesdrop on the web conference, gaining insider information,” said Mark Adams, Board Member at Seagate Technology PLC and Cadence Design Systems.

API as a target for automated attacks

The use of an API as a target for automated attacks is increasingly common, driven by mobile device ubiquity and the move towards modular applications where APIs are used as the foundational elements of the application business logic.
“In targeting an API instead of a web form fill, bad actors are able to leverage the same benefits of ease of use and flexibility that APIs bring to the development community,” said Shreyans Mehta, Cequence Security CTO. “In the case of the Prying-Eye vulnerability, users should embrace the shared responsibility model and take advantage of the web conferencing vendors’ security features to not only protect their meetings but also take the extra step of confirming the attendee identities.”

Addressing the vulnerability

The CQ Prime team notified the impacted vendors and gave them time to validate and respond to the findings after the initial discovery in July 2019.
Both Cisco and Zoom have posted advisories to their customer base with steps on how to address this vulnerability.
According to the Cisco Product Security Incident Response Team (PSIRT), “We have issued an informational security advisory to provide our customers with the information they require. Notably, the most effective step to strengthen the security of all meetings is to require a password – which is enabled by default for all Webex meetings. Cisco PSIRT is not aware of any malicious exploitation of this potential attack scenario.”
“Zoom has improved our server protections to make it much harder for bad actors or malicious bots to troll for access into Zoom meetings. In addition to our detection and prevention mechanisms in the data center, we provide meeting hosts with extensive protection controls, such as preventing attendees from joining a meeting before the host, and the very popular waiting room feature. Zoom hosts can also choose to protect their meetings and webinars via password. Passwords are now enabled as the default setting for Zoom meetings, but as is true of other security options, meeting hosts are free to choose security settings that are most appropriate to the sensitivity of their meetings,” said Richard Farley, CISO of Zoom Video Communications, Inc.

 Article Credits: https://www.helpnetsecurity.com/2019/10/01/prying-eye-vulnerability/


Comments

Post a Comment

Popular posts from this blog

Lebanese Protesters Are Using This ‘Bridgefy’ Messaging App - What is it?

Bridgefy is an offline messaging app that lets you communicate with friends and family when you don't have access to the Internet, by simply turning on your Bluetooth antenna. Due to WhatsApp outage and the poor internet services, a new offline messaging app known as Bridgefy has started to gain traction among Lebanese protesters. The people are recommending using this app in case there is a shutdown of internet services. Did you know that: 1 billion people aren’t covered by 3G or 4G networks. 3.3 billion people live in areas where the mobile Internet can be accessed but remain without a mobile Internet subscription. 1 billion people own a smartphone but don’t own a data plan. 40% of the world population is forecast to remain unconnected by 2025. These numbers represent huge amounts of potential users that aren’t being reached by mobile apps. Bridgefy keeps your app working even when people do not have access to the Internet. T...
Post a Comment
Read more

WhatsApp Users Exchanged Over 100 Billion Messages on New Year’s Eve, A New Record

WhatsApp is one of the most widely used communication apps on the planet and as such, clocks an insane number of messages and media exchanges on a daily basis. But the New Year's Eve broke a record that has been standing since WhatsApp's debut a decade ago. WhatsApp has revealed that users exchanged over 100 billion messages on New Year's eve. And out of that number, more than 20 billion messages were shared by Indian users alone. Moreover, around 12 billion out of the 100 billion+ messages shared on the platform were images. WhatsApp wrote in a press release that over 100 billion messages were shared globally on December 31 in the 24-hour duration leading up to the midnight of New Year's Eve. This is a record-breaking volume and is the highest number of messages exchanged in a single day ever since WhatsApp kicked off its services ten years ago. Out of those 100 billion+ messages shared on New Year's eve, WhatsApp says over 12 billion were images. Meanwhile...
Post a Comment
Read more

Facebook updates iOS app to fix issues that let the camera open in the background

The issues were first reported this month This month, some users of Facebook’s iOS app  found that  that, in at least two situations, the app appeared to be activating the camera in the background without a user’s knowledge. Facebook said yesterday that it was submitting fixes for the issues to Apple, and the company tells us that, as of this morning, the updated app is now available for download on the App Store. I’ve downloaded the update to my iPhone 11 Pro, and I can’t get the camera to accidentally activate in either of the scenarios that were reported — but I also couldn’t get it to activate yesterday, so I can’t personally confirm that the issues are fixed. But if we take Facebook at its word that everything is resolved, it’s nice to see that the company acted quickly. Article reference:  https://www.theverge.com/2019/11/13/20963791/facebook-issue-fix-camera-open-background-update-ios-app-store
Post a Comment
Read more