Researchers have announced the discovery of a vulnerability within the video-conferencing platforms, Cisco Webex and Zoom, allowing attacks to snoop into calls.
The Cequence CQ Prime Threat Research team found that the vulnerability, dubbed “Prying Eye”, is a flaw within web-conferencing APIs, allowing attackers to launch an enumeration attack with the aim of finding open meetings or calls.
An enumeration attack is when a malicious actor uses brute force in order to guess or confirm valid data. In this particular case, a malicious actor could utilise a bot to discover valid meeting IDs – thus allowing them to view and listen to active meetings and calls, which have not been password-protected.
This particular attack method can be utilised with any application that uses numbers as identifiers, however the research team notes that with web conferences, it is common to disable passwords in order prevent any issues when meeting participants.
If someone were to keep reusing meeting IDs, this can cause numerous issues as an attacker could snoop into calls or meetings in the future.
“In targeting an API instead of a web form fill, bad actors are able to leverage the same benefits of ease of use and flexibility that APIs bring to the development community,” said Shreyans Mehta, Cequence Security CTO and co-founder.
“In the case of the Prying-Eye vulnerability, users should embrace the shared responsibility model and take advantage of the web conferencing vendors’ security features to not only protect their meetings but also take the extra step of confirming the attendee identities.”
Both Zoom and Cisco Webex have been notified. Richard Farley, CISO of Zoom Video Communications, Inc., said: “Zoom has improved our server protections to make it much harder for bad actors or malicious bots to troll for access into Zoom meetings.”
The Cisco Product Security Incident Response Team (PSIRT) published an informational security advisory to its Webex customers stating that: “Cisco Webex provides the host with controls that protect the meeting – such as disallowing join before host, locking a meeting, as well as ensuring guests do not join without authentication.”