Malicious actors may be able to easily access unprotected Cisco WebEx and Zoom meetings due to an API enumeration vulnerability, Cequence Security’s CQ Prime threat research team revealed on Tuesday.
Cequence researchers discovered that the APIs for Cisco WebEx, Zoom and possibly other online conferencing products are vulnerable to enumeration attacks. The vulnerability has been dubbed Prying-Eye.
According to the company, WebEx and Zoom allow a bot to automatically cycle through all potentially valid meeting IDs via API calls. Once they obtain valid meeting IDs, attackers can try to access meetings in hopes that the user has not set a password, allowing them to spy on individuals and organizations.
The vulnerability is even more worrying in cases where users sought to simplify meeting management by setting a personal ID. Once they obtain this meeting ID, attackers may be able to snoop over an extended period of time.
“This vulnerability highlights the astronomical growth of API usage and the need to secure them not only from traditional vulnerability exploits, but from seemingly legitimate, yet automated bot attacks,” Cequence researchers explained. “Driven by mobile device ubiquity and the move towards modular applications where APIs are used as the foundational elements of the application business logic, direct-to-API attacks are increasingly common. By targeting the API as opposed to scripting a form fill, a bad actor can leverage the same benefits of ease of use, efficiency and flexibility that APIs bring to the development community.”
Cisco and Zoom were notified of Prying-Eye in July and they both issued advisories to warn users about the risks. However, the vendors don’t view this issue as an actual vulnerability.
Cisco has published an informational advisory clarifying that WebEx meetings are protected by a password in the default configuration, but users may be able to disable this password protection.
“When users are signed in to Cisco Webex application, they do not have to manually type in passwords – thus removing any friction in the meeting join process. In addition, Cisco Webex provides the host with controls that protect the meeting – such as disallowing join before host, locking a meeting as well as ensuring guests do not join without authentication. We also provide a simple lobby experience to ensure meeting hosts are notified if a guest wants to join,” Cisco said, claiming that it’s not aware of any instances where this weakness has been exploited for malicious purposes.
After being notified by Cequence, Zoom said it has made some changes and passwords are now enabled by default for meetings, with users being given the option to choose other security settings for their meetings.
“Zoom has improved our server protections to make it much harder for bad actors or malicious bots to troll for access into Zoom meetings. In addition to our detection and prevention mechanisms in the data center, we provide meeting hosts with extensive protection controls, such as preventing attendees from joining a meeting before the host, and the very popular waiting room feature,” Zoom said.