Fuze, an enterprise-grade voice and video collaboration platform, has patched a vulnerability that exposed recordings of private meetings.
A fix was made server-side by Fuze, and a patch was pushed to its endpoint client apps within 11 days of being privately notified by researchers at Rapid7.
Program manager Samuel Huckins said there were two glaring issues that put voice, video and text data recorded between parties at risk. The first is that recordings could be shared without requiring authentication. The second was an issue he identified where URLs at which recordings were accessible included a seven-digit identifier that increased incrementally over time and could be brute-forced.
“You couldn’t set a password; it wasn’t required at first. And you could guess other folks’ URLs,” Huckins said. “In this case, the format itself wasn’t a problem. The lack of authentication was the main issue. The URL structure just exacerbated that by just making it easier to find.”
Similar to other collaboration platforms such as WebEx and GoToMeeting, sessions can be recorded and shared via a URL. Since the fix was implemented, users are now required to set a password before sharing; it’s unknown whether other platforms have similar vulnerabilities.
Huckins said that some recording files were also indexed by search engines.
“That was initially how I came across these. If this isn’t behind a password, who can see it?” Huckins said. “I found a few searching that way. It wasn’t a huge number, so I really don’t know what the trigger was for some to be indexed and some not, but some were. Those may have been intentionally shared. I didn’t spot things that looked confidential. They could have been completely intentional as shared.”
Fuze applications are delivered as software-as-a-service components, in addition to endpoint clients for desktop and mobile. Recordings, Rapid7 said, are saved to the vendor’s cloud hosting service and accessed by the shared URL.
“Before [the patch], you would share the meeting, get the link and you were off to the races,” Huckins said. “For what Fuze is focused on, that makes good sense. They’re all about bringing people together, enhancing collaboration, lowering that barrier to entry, so it was a good user experience for that. This additional set of controls makes it that such if there’s sensitive content in those recordings, then they are safe.”
The vulnerability was privately disclosed Feb. 27 and two days later, Fuze removed public access and required a password to view recordings from the cloud or clients. Fuze released version 4.3.1 of its client applications on March 10. There’s also no evidence the issue was abused publicly, Rapid7 said.
“From what we saw and know from Fuze, we don’t have any evidence of that. That would be difficult to determine without being in a position like Google,” Huckins said. “Due to the speed of remediation and knowledge we have, no indication of that.”