Cloud-based unified communications platform startup Fuze Inc. has been forced to patch a vulnerability that exposed recordings of private meetings to anyone.

The vulnerability, discovered by security firm Rapid7 Inc., was blamed on the way Fuze provided sharing links for private recordings, specifically that the links themselves required no authentication and are easy to guess. In this case, a URL such as  “https://browser.fuzemeeting.com/?replayId=7DIGITNUM,” where “7DIGITNUM” is a seven-digit number that increments over time, allowed anyone to access the recordings without needing a password. Worse still, the seven-digit identifier increased incrementally over time, meaning that the code could also be guessed. That ability to guess a code left the recordings opened to brute force attacks, where a would-be hacker could simply generate seven digital identifiers and query the server with them until such time they managed to find a match. 

“You couldn’t set a password; it wasn’t required at first. And you could guess other folks’ URLs,” Rapid7 Program Manager Samuel Huckins told ThreatPost. “In this case, the format itself wasn’t a problem. The lack of authentication was the main issue. The URL structure just exacerbated that by just making it easier to find.”

The good news is that the vulnerability has now been patched. “As of Mar 1, 2017, all meeting recordings now appear to require password authentication in order to be viewed from Fuze’s cloud-hosted web application via direct browsing or from the Fuze desktop and mobile clients,” Huckins explained. “This authentication control is configurable by the user via the client applications as of version 4.3.1 (released on Mar 10, 2017).” He encouraged Fuze users to update their Fuze client applications to take advantage of new access controls.

Fuze was most recently in the news when it raised $104 million in February in what was likely its last venture capital fundraising prior to going public in 2018.

Image: Fuze