Prying-Eye vulnerability potentially exposes millions of online meetings to snooping
SUNNYVALE, CA – October 1, 2019 — Cequence Security’s CQ Prime Threat Research Team today announced the discovery of a vulnerability in Cisco Webex and Zoom video conferencing platforms that potentially allows an attacker to enumerate or list and view active meetings that are not protected. Following best practices on vulnerability disclosures, the CQ Prime team notified the impacted vendors and gave them time to validate and respond to the findings after the initial discovery in July 2019. The web conferencing market includes nearly three dozen vendors, some of whom may use similar meeting identification techniques. Although the CQ Prime team did not test each of these products, it is possible they could be susceptible as well.
The Prying-Eye vulnerability is an example of an enumeration attack that targets web conferencing APIs with a bot that cycles through (enumerates) and discovers valid numeric meeting IDs. If the common user practice of disabling security functionality or not assigning a password is followed, then the bad actor would be able to view or listen to an active meeting. If a user has chosen the option of configuring a personal meeting ID to simplify meeting management, a bad actor can store that information for future snooping activity.
Alissa Knight, Senior Analyst with Aite Group who received an in-person briefing on this vulnerability at Cequence headquarters said, “The Cequence finding highlights the fact that APIs are a growing attack surface and that APIs can be exploited when not properly secured. Organizations are struggling to figure out how to protect their APIs and often use the wrong technology to secure them, such as API gateways, web application firewalls or nothing at all. With Akamai recently announcing that 82% of their CDN traffic is API traffic, and with the average organization running over 600 APIs, there’s a clear and present danger with APIs that organizations need to address.”
Any application, not just video conferencing, that uses numeric, or alpha-numeric identifiers, is susceptible to an enumeration attack technique. The fact that web conferencing end users have a tendency to either disable or ignore security functionality for whatever reason has significant business ramifications. Mark Adams, Board Member at Seagate Technology PLC and Cadence Design Systems states, “Security of all types, from traditional network level to user best practices, is an increasingly high priority for corporate boards and ensuring web conferences are secure should be common practice. As a board member, if for example we are reviewing quarterly financials and future looking forecasts with the executive team and the meeting is compromised due to a vulnerability like this, a bad actor would be able to eavesdrop on the web conference, gaining insider information.”
The use of an API as a target for automated attacks is increasingly common, driven by mobile device ubiquity and the move towards modular applications where APIs are used as the foundational elements of the application business logic. “In targeting an API instead of a web form fill, bad actors are able to leverage the same benefits of ease of use and flexibility that APIs bring to the development community,” said Shreyans Mehta, Cequence Security CTO and co-founder. “In the case of the Prying-Eye vulnerability, users should embrace the shared responsibility model and take advantage of the web conferencing vendors’ security features to not only protect their meetings but also take the extra step of confirming the attendee identities.”
Based on the details the CQ Prime Team shared with the vendors both Cisco and Zoom have posted advisories to their customer base with steps on how to address this vulnerability.
- Cisco WebEx: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191001-webex-enum
- Zoom: https://support.zoom.us/hc/en-us/articles/360033331271
Cisco Quote: According to the Cisco Product Security Incident Response Team (PSIRT), “Cisco maintains a very open relationship with the security community, and we view this as vital to helping protect our customers. We have issued an informational security advisory to provide our customers with the information they require. Notably, the most effective step to strengthen the security of all meetings is to require a password – which is enabled by default for all Webex meetings. We believe in providing the most secure meetings experience without compromising on usability. When users are signed in to Cisco Webex application, they do not have to manually type in passwords – thus removing any friction in the meeting join process. In addition, Cisco Webex provides the host with controls that protect the meeting – such as disallowing join before host, locking a meeting as well as ensuring guests do not join without authentication. We also provide a simple lobby experience to ensure meeting hosts are notified if a guest wants to join. Cisco PSIRT is not aware of any malicious exploitation of this potential attack scenario. Cisco would like to thank the CQ Prime research team for reporting this finding and collaborating on a coordinated disclosure.”
Zoom Quote: “We are grateful that the CQ Prime research team alerted us to the potential for malicious third parties to find Zoom meeting ID’s through enumeration attacks,” said Richard Farley, CISO of Zoom Video Communications, Inc. “Zoom has improved our server protections to make it much harder for bad actors or malicious bots to troll for access into Zoom meetings. In addition to our detection and prevention mechanisms in the data center, we provide meeting hosts with extensive protection controls, such as preventing attendees from joining a meeting before the host, and the very popular waiting room feature. Zoom hosts can also choose to protect their meetings and webinars via password. Passwords are now enabled as the default setting for Zoom meetings, but as is true of other security options, meeting hosts are free to choose security settings that are most appropriate to the sensitivity of their meetings.”
About CQ Prime
CQ Prime is a new threat research initiative led by the data science and threat intelligence teams at Cequence Security. CQ Prime focuses on delivering qualitative analysis on the four elements that comprise an automated malicious bot attack: infrastructure, tools, credentials and behavior. The CQ Prime mission is to understand the inner workings of these attacks and share the findings with Cequence customers and the security industry to help improve their collective prevention efforts.
About Cequence Security
Cequence Security is a venture-backed cybersecurity software company founded in 2015 and based in Sunnyvale, CA. Its mission is to transform application security by consolidating multiple innovative security functions within an open, AI-powered software platform that protects customers web, mobile, and API-based applications – and supports today’s cloud-native, container-based application architectures. The company is led by industry veterans that previously held leadership positions at Palo Alto Networks and Symantec. Customers include F500 organizations across multiple vertical markets, and the solution has earned multiple industry accolades, including 2018 Gartner Cool Vendor. Learn more at www.cequence.ai.