Rapid7 Finds Vulnerability In Fuze Collaboration Platform

By   ISBuzz Team
Writer , Information Security Buzz | May 05, 2017 02:30 am PST

Rapid7 has released its newest disclosure highlighting a key recording vulnerability within voice, messaging and collaboration service provider Fuze.

The full disclosure can be found here: https://community.rapid7.com/community/infosec/blog/2017/05/02/r7-2017-03-improper-access-control-of-fuze-meeting-recordings-fixed

According to the report, meetings recorded through Fuze’s platform did not have sufficient controls to ensure that the content was kept private. Recordings could be accessed by URLs such as “https://browser.fuzemeeting.com/?replayId=7DIGITNUM“, where “7DIGITNUM” is a seven digit number that increments over time. Since this identifier did not provide sufficient keyspace to resist bruteforcing, specific meetings could be downloaded by simply guessing a replay ID reasonably close to the target, and then iterating through all likely seven digit numbers.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x