Cisco WebEx and Zoom video hit by security flaw

Web conferencing platforms could let attackers snoop on conference calls, says Cequence Security

Cisco Webex logo under a magnifying glass

Security researchers have uncovered a way for attackers to snoop on video conferences run on the Cisco WebEx and Zoom platforms.

Dubbed "Prying Eye", the flaw spotted by Cequence Security is a weakness in web conferencing APIs that would allow attackers to use an enumeration attack to find open calls or meetings.

Enumeration attacks refer to the practice of using brute force to guess ID numbers in this case, for meetings or calls. If the attacker guesses the right meeting ID number, and it isn't password-protected, they have instant access.

That attack technique could work on any application that uses numbers as identifiers, but Cequence notes that it's common practice to disable basic security such as passwords for web conferences in order to reduce friction for meeting participants. The flaw could be particularly troublesome for anyone who reuses meeting IDs, letting an attacker snoop on all future calls or conferences.

"In targeting an API instead of a web form fill, bad actors are able to leverage the same benefits of ease of use and flexibility that APIs bring to the development community," said Shreyans Mehta, Cequence Security CTO and co-founder. "In the case of the Prying-Eye vulnerability, users should embrace the shared responsibility model and take advantage of the web conferencing vendors' security features to not only protect their meetings but also take the extra step of confirming the attendee identities."

Cequence alerted both companies to the vulnerability in July before taking it public today, giving Cisco and Zoom time to address the flaw. Cisco and Zoom have responded by altering default security settings and issuing advice to customers to help them avoid the vulnerability.

"Notably, the most effective step to strengthen the security of all meetings is to require a password which is enabled by default for all WebEx meetings," Cisco's security team said in a statement provided by Cequence.

Related Resource

Why UEM is the key to enterprise IT security

A guide to effective endpoint security

Download now

Richard Farley, CISO of Zoom Video Communications, said: "Zoom has improved our server protections to make it much harder for bad actors or malicious bots to troll for access into Zoom meetings."

Farley added that passwords are now enabled by default, but stressed it was still possible to lighten such security settings to whatever is appropriate for different users. He said that, "as is true of other security options, meeting hosts are free to choose security settings that are most appropriate to the sensitivity of their meetings."

Cequence Security added that it had not tested all other web conference vendors, so others may be at risk as well. The flaw can be avoided by requiring a password on sensitive conference calls or videos, and by confirming the identity of all attendees on a call.

The latest vulnerability comes just under a year after the discovery of a remote code execution flaw in WebEx's update service, in which hackers could invoke a Windows update service tool which grants the ability to execute commands with system-level privileges.

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Recommended

Colonial Pipeline reportedly paid $5 million ransom
Security

Colonial Pipeline reportedly paid $5 million ransom

13 May 2021
Apple's AirTag tracker has already been hacked
hacking

Apple's AirTag tracker has already been hacked

10 May 2021
TsuNAME vulnerability could enable DDoS attacks on major DNS servers
distributed denial of service (DDOS)

TsuNAME vulnerability could enable DDoS attacks on major DNS servers

7 May 2021
Security researchers take control of a Tesla via drone
ethical hacking

Security researchers take control of a Tesla via drone

5 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Dell XPS 17 (2021) review: A big laptop for big jobs
Laptops

Dell XPS 17 (2021) review: A big laptop for big jobs

10 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021