A firm of vulnerability testing specialists has just discovered a security vulnerability in the Zoom and Cisco Webex video conferencing platforms. According to reports, exploiting this flaw would allow a threat actor to list and access unprotected active meetings on these platforms.
There are at least three dozen video
conferencing service providers and many of them employ similar techniques for
identifying a session. The experts, from CQ Prime, only analyzed the two
platforms mentioned above, but consider that due to the use of similar methods
other services could also be exposed to the exploitation of this flaw.
The vulnerability, named Prying-Eye, is a sample of an enumeration attack that specifically targets video conferencing APIs using a bot that lists and discovers valid numeric identification keys (IDs). In conjunction with bad practices, such as disabling security features or missing a password, this flaw allows hackers to access active video conferencing sessions. According to vulnerability testing experts, threat actors can even store useful information for future intrusions.
“This is a clear sign that when adequate
security measures are lacking, APIs are an increasingly hacker-exploited attack
vector,” the experts mention. “In their bid to stay protected, it is
common for companies to opt for the wrong technology to secure their APIs, such
as web application firewalls,” the experts add.
Vulnerability testing specialists point out
that any web application that uses numeric or alphanumeric identifiers is
exposed to enumeration attacks. In this case, the problem is that video
conferencing service end users often remove some security measures or simply
ignore them, further exposing them to such attacks.
On the other hand, the use of APIs as an
automated attack objective has become commonplace, mainly due to the
availability of mobile devices and the transition to modular applications where
APIs are used as central elements in the logic of the Application.
“Focusing the attack on an API instead of
attacking a web form, hackers could take advantage of the benefits that APIs
bring to developers,” the specialists say. On this vulnerability,
administrators could adopt a shared responsibility model and leverage the
security features of web conferencing providers to not only protect their
meetings, but also add an additional layer to confirm the identity of the
participants in a session.
According to vulnerability testing specialists
from the International Cyber Security Institute (IICS), both companies have already
been notified and have shared some notices with their users on how to mitigate
the risk of exploiting these Vulnerabilities. The Cisco Incident Response Team
recommended that its users enable passwords by default for all Cisco
Webex sessions. The company states that so far there is no evidence of
exploitation of this vulnerability in the wild.