Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

WebEx, Zoom Meetings Exposed to Snooping via Enumeration Attacks

Malicious actors may be able to easily access unprotected Cisco WebEx and Zoom meetings due to an API enumeration vulnerability, Cequence Security’s CQ Prime threat research team revealed on Tuesday.

Malicious actors may be able to easily access unprotected Cisco WebEx and Zoom meetings due to an API enumeration vulnerability, Cequence Security’s CQ Prime threat research team revealed on Tuesday.

Cequence researchers discovered that the APIs for Cisco WebEx, Zoom and possibly other online conferencing products are vulnerable to enumeration attacks. The vulnerability has been dubbed Prying-Eye.

According to the company, WebEx and Zoom allow a bot to automatically cycle through all potentially valid meeting IDs via API calls. Once they obtain valid meeting IDs, attackers can try to access meetings in hopes that the user has not set a password, allowing them to spy on individuals and organizations.

The vulnerability is even more worrying in cases where users sought to simplify meeting management by setting a personal ID. Once they obtain this meeting ID, attackers may be able to snoop over an extended period of time.

“This vulnerability highlights the astronomical growth of API usage and the need to secure them not only from traditional vulnerability exploits, but from seemingly legitimate, yet automated bot attacks,” Cequence researchers explained. “Driven by mobile device ubiquity and the move towards modular applications where APIs are used as the foundational elements of the application business logic, direct-to-API attacks are increasingly common. By targeting the API as opposed to scripting a form fill, a bad actor can leverage the same benefits of ease of use, efficiency and flexibility that APIs bring to the development community.”

Cisco and Zoom were notified of Prying-Eye in July and they both issued advisories to warn users about the risks. However, the vendors don’t view this issue as an actual vulnerability.

Cisco has published an informational advisory clarifying that WebEx meetings are protected by a password in the default configuration, but users may be able to disable this password protection.

“When users are signed in to Cisco Webex application, they do not have to manually type in passwords – thus removing any friction in the meeting join process. In addition, Cisco Webex provides the host with controls that protect the meeting – such as disallowing join before host, locking a meeting as well as ensuring guests do not join without authentication. We also provide a simple lobby experience to ensure meeting hosts are notified if a guest wants to join,” Cisco said, claiming that it’s not aware of any instances where this weakness has been exploited for malicious purposes.

Advertisement. Scroll to continue reading.

After being notified by Cequence, Zoom said it has made some changes and passwords are now enabled by default for meetings, with users being given the option to choose other security settings for their meetings.

“Zoom has improved our server protections to make it much harder for bad actors or malicious bots to troll for access into Zoom meetings. In addition to our detection and prevention mechanisms in the data center, we provide meeting hosts with extensive protection controls, such as preventing attendees from joining a meeting before the host, and the very popular waiting room feature,” Zoom said.

Related: Zoom Conferencing App Exposes Enterprises to Attacks

Related: Mac Zoom Web Server Allows for Remote Code Execution

Related: Cisco Patches Remote Command Execution in Webex Teams Client

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.