Rapid7 has released its newest disclosure highlighting a key recording vulnerability within voice, messaging and collaboration service provider Fuze.
The full disclosure can be found here: https://community.rapid7.com/community/infosec/blog/2017/05/02/r7-2017-03-improper-access-control-of-fuze-meeting-recordings-fixed
According to the report, meetings recorded through Fuze’s platform did not have sufficient controls to ensure that the content was kept private. Recordings could be accessed by URLs such as “https://browser.fuzemeeting.com/?replayId=7DIGITNUM“, where “7DIGITNUM” is a seven digit number that increments over time. Since this identifier did not provide sufficient keyspace to resist bruteforcing, specific meetings could be downloaded by simply guessing a replay ID reasonably close to the target, and then iterating through all likely seven digit numbers.