Attackers could easily gain access to communication sessions in Cisco WebEx or Zoom due to an API vulnerability. This vulnerability allows to listen other people’s conversations.
Cequence Security’s CQ Prime team found that the WebEx, Zoom, and possibly other conferencing APIs are vulnerable to a Prying-Eye attack.Prying-Eye is an enumeration attack or user enumeration. According to the researchers, WebEx and Zoom allow using a bot to automatically sort through all potentially valid session identifiers through API calls. Once a valid identifier is detected, an attacker can gain access to the session and eavesdrop on conversations (in case the user has not set a password).
“Numeric or alpha-numeric sequences are quick and easy mechanisms used to grant access to online resources at scale. When deployed with security disabled or ignored, these numeric identifiers become easy targets for automated attacks”, — inform Cequence Security specialists.
The vulnerability is even more dangerous if, to simplify the process of managing sessions, the user has set a personal identifier. By picking this identifier, an attacker will be able to eavesdrop on conversations for a long time.
“This vulnerability highlights the astronomical growth of API usage and the need to secure them not only from traditional vulnerability exploits, but from seemingly legitimate, yet automated bot attacks. Driven by mobile device ubiquity and the move towards modular applications where APIs are used as the foundational elements of the application business logic, direct-to-API attacks are increasingly common”, — warn in Cequence Security.
Reference:
APIs are the language of the Web: According to Gartner, By 2021, 90% of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the UI, up from 40% in 2019. Mobile and smart devices use API calls to ensure optimal performance and user experience.
Researchers have notified Cisco and Zoom about the vulnerability in July this year. Both companies issued appropriate warnings for their users, but did not recognize the problem as a real threat.
Cisco clarified that sessions in WebEx are password protected by default, but users can disable it for convenience. Upon learning of the vulnerability, Zoom developers made some changes to their platform, in particular, made the password the default setting.
Recommendations from Cisco:
The most effective step to strengthen the security of all meetings is to require a password. Passwords protect against unauthorized attendance because only users with access to the password are able to join.
Read also: Thousands of Google Calendars Disclose Confidential Information
Cisco recommends that administrators maintain their sites with the default configuration that makes using a password mandatory when users are setting up a meeting.