As globalization and mobility both advance, organizations are turning to web-based unified communications systems as a means of improving collaboration and reducing costs. Fuze is one such service. It offers voice (with conferencing), video (with conferencing) and messaging, all from anywhere at any time and any device.
The security of web-based third-party service providers is a major concern for business, where security audits are difficult and expensive. It often comes down to reputation: if other major businesses are using a particular service, it must be good.
Fuze has a number of major clients, including Associated Press, USAuto Sales and ThoughtWorks. But reputation does not equal security, as Rapid7 researcher Samuel Huckins discovered in February 2017 and disclosed today. Huckins discovered ‘improper access control’ of Fuze meetings.
More specifically, he notes, “Meetings recorded on the Fuze collaboration platform did not have sufficient controls to ensure that the recordings were kept private (CWE-284).” Recorded Fuze meetings are saved to the cloud hosting service, from where they could be accessed via an URL with the format /browser.fuzemeeting.com/?replayID=7digitnum.
‘7digitnum’ is a seven-digit number that increments over time. The problem, according to Rapid7, is that the 7 digit number is insufficient to resist brute-forcing. Specific meeting recordings could be downloaded by third-parties simply by guessing a replay ID reasonably close to the target and iterating through possible 7-digit numbers. The format also allows a third-party to use a search engine to find available recordings.
The threat is clear. Meetings are used to discuss plans, share and collaborate on intellectual property, and generally conduct international business. The potential is for sensitive data to fall into the wrong hands.
Rapid7 reported the issue to Fuze on Monday, February 27, 2017. Two days later, March 1, 2017, Fuze disabled public access via the earlier URL format. In a statement, it commented, “Security is a top priority for Fuze and we appreciate Rapid7 identifying this issue and bringing it to our attention. When we were informed by the Rapid7 team of the issue, we took immediate action and have resolved the problem.”
“As of Mar 10, 2017,” reports Rapid7, “all meeting recordings now appear to require password authentication in order to be viewed from Fuze’s cloud-hosted web application via direct browsing or from the Fuze desktop and mobile clients. This authentication control is configurable by the user via the client applications as of version 4.3.1 (released on Mar 10, 2017). Fuze users are encouraged to update their Fuze client applications in order to take advantage of new access controls.”
It was a silly security issue easily solved — but one that could have had serious consequences for Fuze’s clients. It highlights the need for all cloud usage to be signed off by an organization’s security team rather than simply rubber-stamped by the IT department. A security professional might have seen at the outset that URL-based access control is simply not good enough — but similarly, Fuze should never have designed its system like that in the first place.