Fuze collaboration platform exposed online meetings to attackers as a result of 'improper access control'

Glaring access control flaw meant Fuze meetings were indexed by search engines

A glaring flaw in the widely used Fuze unified communications platform exposed private meetings conducted over, and recorded by, the cloud-based service to attackers.

According to Rapid7, the IT security company that identified the security flaw, the system was exposed due to ‘improper access control' exercised by Fuze, which has fixed the problem by requiring all meeting recordings to require password authentication.

Rapid7 has credited exposure of the flaw to senior software engineer Samuel Huckins.

The easy-to-exploit flaw was caused by the way in which Fuze enabled non-users to access meetings, saved on Fuze's platform in the cloud, that had been recorded by the host.

Because non-users don't have an account, the Fuze platform made the recordings available to them via a URL specific to the meeting. Furthermore, the lack of any security on the material meant that they were indexed by, and searchable via, search engines, such as Bing, DuckDuckGo and Google.

"[Meetings] could be accessed by URLs such as 'https://browser.fuzemeeting.com/?replayId=7DIGITNUM', where "7DIGITNUM" is a seven digit number that increments over time," wrote Huckins in his advisory.

He continued: "Since this identifier did not provide sufficient keyspace to resist bruteforcing, specific meetings could be accessed and downloaded by simply guessing a replay ID reasonably close to the target, and iterating through all likely seven digit numbers."

When it was informed about the glaring security flaw, Fuze claims it took immediate action, claiming that "security is a top priority for Fuze". From 1 March 2017, all meetings required a password authentication to access meetings conducted, recorded and stored on the Fuze platform.

However, Fuze users are required to update their desktop and mobile clients in order to take advantage of the new access controls. It also enables users to download the meetings so that they can store them locally, or send them to participants.