A firm of vulnerability testing specialists has just discovered a security vulnerability in the Zoom and Cisco Webex video conferencing platforms. According to reports, exploiting this flaw would allow a threat actor to list and access unprotected active meetings on these platforms.
There are at least three dozen video conferencing service providers and many of them employ similar techniques for identifying a session. The experts, from CQ Prime, only analyzed the two platforms mentioned above, but consider that due to the use of similar methods other services could also be exposed to the exploitation of this flaw.
The vulnerability, named Prying-Eye, is a sample of an enumeration attack that specifically targets video conferencing APIs using a bot that lists and discovers valid numeric identification keys (IDs). In conjunction with bad practices, such as disabling security features or missing a password, this flaw allows hackers to access active video conferencing sessions. According to vulnerability testing experts, threat actors can even store useful information for future intrusions.
“This is a clear sign that when adequate security measures are lacking, APIs are an increasingly hacker-exploited attack vector,” the experts mention. “In their bid to stay protected, it is common for companies to opt for the wrong technology to secure their APIs, such as web application firewalls,” the experts add.
Vulnerability testing specialists point out that any web application that uses numeric or alphanumeric identifiers is exposed to enumeration attacks. In this case, the problem is that video conferencing service end users often remove some security measures or simply ignore them, further exposing them to such attacks.
On the other hand, the use of APIs as an automated attack objective has become commonplace, mainly due to the availability of mobile devices and the transition to modular applications where APIs are used as central elements in the logic of the Application.
“Focusing the attack on an API instead of attacking a web form, hackers could take advantage of the benefits that APIs bring to developers,” the specialists say. On this vulnerability, administrators could adopt a shared responsibility model and leverage the security features of web conferencing providers to not only protect their meetings, but also add an additional layer to confirm the identity of the participants in a session.
According to vulnerability testing specialists from the International Cyber Security Institute (IICS), both companies have already been notified and have shared some notices with their users on how to mitigate the risk of exploiting these Vulnerabilities. The Cisco Incident Response Team recommended that its users enable passwords by default for all Cisco Webex sessions. The company states that so far there is no evidence of exploitation of this vulnerability in the wild.