Cequence Security’s CQ Prime Threat Research Team discovered of a vulnerability in Cisco Webex and Zoom video conferencing platforms that potentially allows an attacker to enumerate or list and view active meetings that are not protected.
The web conferencing market includes nearly three dozen vendors, some of whom may use similar meeting identification techniques. Although the CQ Prime team did not test each of these products, it is possible they could be susceptible as well.
The Prying-Eye vulnerability is an example of an enumeration attack that targets web conferencing APIs with a bot that cycles through (enumerates) and discovers valid numeric meeting IDs. If the common user practice of disabling security functionality or not assigning a password is followed, then the bad actor would be able to view or listen to an active meeting. If a user has chosen the option of configuring a personal meeting ID to simplify meeting management, a bad actor can store that information for future snooping activity.
“The Cequence finding highlights the fact that APIs are a growing attack surface and that APIs can be exploited when not properly secured. Organizations are struggling to figure out how to protect their APIs and often use the wrong technology to secure them, such as API gateways, web application firewalls or nothing at all. With Akamai recently announcing that 82% of their CDN traffic is API traffic, and with the average organization running over 600 APIs, there’s a clear and present danger with APIs that organizations need to address,” said Alissa Knight, Senior Analyst with Aite Group.
Any application, not just video conferencing, that uses numeric, or alpha-numeric identifiers, is susceptible to an enumeration attack technique. The fact that web conferencing end users have a tendency to either disable or ignore security functionality for whatever reason has significant business ramifications.
“Security of all types, from traditional network level to user best practices, is an increasingly high priority for corporate boards and ensuring web conferences are secure should be common practice. As a board member, if for example we are reviewing quarterly financials and future looking forecasts with the executive team and the meeting is compromised due to a vulnerability like this, a bad actor would be able to eavesdrop on the web conference, gaining insider information,” said Mark Adams, Board Member at Seagate Technology PLC and Cadence Design Systems.
API as a target for automated attacks
The use of an API as a target for automated attacks is increasingly common, driven by mobile device ubiquity and the move towards modular applications where APIs are used as the foundational elements of the application business logic.
“In targeting an API instead of a web form fill, bad actors are able to leverage the same benefits of ease of use and flexibility that APIs bring to the development community,” said Shreyans Mehta, Cequence Security CTO. “In the case of the Prying-Eye vulnerability, users should embrace the shared responsibility model and take advantage of the web conferencing vendors’ security features to not only protect their meetings but also take the extra step of confirming the attendee identities.”
Addressing the vulnerability
The CQ Prime team notified the impacted vendors and gave them time to validate and respond to the findings after the initial discovery in July 2019.
Both Cisco and Zoom have posted advisories to their customer base with steps on how to address this vulnerability.
According to the Cisco Product Security Incident Response Team (PSIRT), “We have issued an informational security advisory to provide our customers with the information they require. Notably, the most effective step to strengthen the security of all meetings is to require a password – which is enabled by default for all Webex meetings. Cisco PSIRT is not aware of any malicious exploitation of this potential attack scenario.”
“Zoom has improved our server protections to make it much harder for bad actors or malicious bots to troll for access into Zoom meetings. In addition to our detection and prevention mechanisms in the data center, we provide meeting hosts with extensive protection controls, such as preventing attendees from joining a meeting before the host, and the very popular waiting room feature. Zoom hosts can also choose to protect their meetings and webinars via password. Passwords are now enabled as the default setting for Zoom meetings, but as is true of other security options, meeting hosts are free to choose security settings that are most appropriate to the sensitivity of their meetings,” said Richard Farley, CISO of Zoom Video Communications, Inc.