[BreachExchange] Vulnerability in Cisco Webex and Zoom may expose online meetings to snooping

[Destry Winant]

https://www.helpnetsecurity.com/2019/10/01/prying-eye-vulnerability/

Cequence Security’s CQ Prime Threat Research Team discovered of a
vulnerability in Cisco Webex and Zoom video conferencing platforms
that potentially allows an attacker to enumerate or list and view
active meetings that are not protected.

The web conferencing market includes nearly three dozen vendors, some
of whom may use similar meeting identification techniques. Although
the CQ Prime team did not test each of these products, it is possible
they could be susceptible as well.

Prying-Eye vulnerability

The Prying-Eye vulnerability is an example of an enumeration attack
that targets web conferencing APIs with a bot that cycles through
(enumerates) and discovers valid numeric meeting IDs. If the common
user practice of disabling security functionality or not assigning a
password is followed, then the bad actor would be able to view or
listen to an active meeting. If a user has chosen the option of
configuring a personal meeting ID to simplify meeting management, a
bad actor can store that information for future snooping activity.

“The Cequence finding highlights the fact that APIs are a growing
attack surface and that APIs can be exploited when not properly
secured. Organizations are struggling to figure out how to protect
their APIs and often use the wrong technology to secure them, such as
API gateways, web application firewalls or nothing at all. With Akamai
recently announcing that 82% of their CDN traffic is API traffic, and
with the average organization running over 600 APIs, there’s a clear
and present danger with APIs that organizations need to address,” said
Alissa Knight, Senior Analyst with Aite Group.

Enumeration attacks

Any application, not just video conferencing, that uses numeric, or
alpha-numeric identifiers, is susceptible to an enumeration attack
technique. The fact that web conferencing end users have a tendency to
either disable or ignore security functionality for whatever reason
has significant business ramifications.

“Security of all types, from traditional network level to user best
practices, is an increasingly high priority for corporate boards and
ensuring web conferences are secure should be common practice. As a
board member, if for example we are reviewing quarterly financials and
future looking forecasts with the executive team and the meeting is
compromised due to a vulnerability like this, a bad actor would be
able to eavesdrop on the web conference, gaining insider information,”
said Mark Adams, Board Member at Seagate Technology PLC and Cadence
Design Systems.

API as a target for automated attacks

The use of an API as a target for automated attacks is increasingly
common, driven by mobile device ubiquity and the move towards modular
applications where APIs are used as the foundational elements of the
application business logic.

“In targeting an API instead of a web form fill, bad actors are able
to leverage the same benefits of ease of use and flexibility that APIs
bring to the development community,” said Shreyans Mehta, Cequence
Security CTO. “In the case of the Prying-Eye vulnerability, users
should embrace the shared responsibility model and take advantage of
the web conferencing vendors’ security features to not only protect
their meetings but also take the extra step of confirming the attendee
identities.”

Addressing the vulnerability

The CQ Prime team notified the impacted vendors and gave them time to
validate and respond to the findings after the initial discovery in
July 2019.

Both Cisco and Zoom have posted advisories to their customer base with
steps on how to address this vulnerability.

According to the Cisco Product Security Incident Response Team
(PSIRT), “We have issued an informational security advisory to provide
our customers with the information they require. Notably, the most
effective step to strengthen the security of all meetings is to
require a password – which is enabled by default for all Webex
meetings. Cisco PSIRT is not aware of any malicious exploitation of
this potential attack scenario.”

“Zoom has improved our server protections to make it much harder for
bad actors or malicious bots to troll for access into Zoom meetings.
In addition to our detection and prevention mechanisms in the data
center, we provide meeting hosts with extensive protection controls,
such as preventing attendees from joining a meeting before the host,
and the very popular waiting room feature. Zoom hosts can also choose
to protect their meetings and webinars via password. Passwords are now
enabled as the default setting for Zoom meetings, but as is true of
other security options, meeting hosts are free to choose security
settings that are most appropriate to the sensitivity of their
meetings,” said Richard Farley, CISO of Zoom Video Communications,
Inc.