Prying-Eye Vulnerability Exposes Online Meetings to Snooping
Web-conferencing users who don’t assign passwords could be having online meetings with more people than they think, according to new research.
The Cequence CQ Prime Threat Research team today announced its discovery in July 2019 of a vulnerability in the Cisco Webex and Zoom video-conferencing platforms that potentially exposes millions of online meetings to snooping.
By launching an enumeration attack that targets web-conferencing APIs with a bot that cycles through (enumerates) and discovers valid numeric meeting IDs, threat actors could exploit the vulnerability to view and listen to active meetings that haven’t been protected by a password.
“In targeting an API instead of a web form fill, bad actors are able to leverage the same benefits of ease of use and flexibility that APIs bring to the development community,” said Shreyans Mehta, Cequence Security CTO and co-founder.
“In the case of the Prying-Eye vulnerability, users should embrace the shared responsibility model and take advantage of the web-conferencing vendors’ security features to not only protect their meetings but also take the extra step of confirming the attendee identities.”
Following best practices on vulnerability disclosures, the CQ Prime team notified the impacted vendors and gave them time to validate and respond to the findings.
Richard Farley, CISO of Zoom Video Communications, Inc., said: “Zoom has improved our server protections to make it much harder for bad actors or malicious bots to troll for access into Zoom meetings. In addition to our detection and prevention mechanisms in the data center, we provide meeting hosts with extensive protection controls, such as preventing attendees from joining a meeting before the host, and the very popular waiting room feature.”
The Cisco Product Security Incident Response Team (PSIRT) issued an informational security advisory to its Webex customers, but said it “is not aware of any malicious exploitation of this potential attack scenario.”
PSIRT said: “Cisco Webex provides the host with controls that protect the meeting—such as disallowing join before host, locking a meeting, as well as ensuring guests do not join without authentication.”
Passwords are enabled as a default setting for meetings on both the Zoom and Cisco Webex platforms. However, users who are in the mood to live dangerously have the option to make meetings on both platforms password-free.