A vulnerability in a communications platform did not have sufficient controls to ensure that the recordings were kept private.
According to a disclosure notice shared with Infosecurity, the Fuze collaboration platform recorded meetings to its cloud hosting service where they could be accessed by HTTPS-enabled URLs such as "https://browser(dot)fuzemeeting(dot)com/?replayId=7DIGITNUM", where "7DIGITNUM" is a seven digit number that increments over time.
According to Rapid7, whose researcher Samuel Huckins discovered and informed Fuze of the issue, this identifier did not provide sufficient keyspace to resist brute forcing, so specific meetings could be downloaded by simply guessing a replay ID reasonably close to the target, and iterating through all likely seven digit numbers. This format also allowed someone to find available recordings via search engines.
Huckins discovered the issue in February and informed the company on 27 of that month, with Fuze disabling the option on March 1 and issuing version 4.3.1 on March 10 with authentication controls for recorded meetings.
This included implementing user-configurable controls in the client application to mediate public access to shared meeting recordings. Affected recordings that had already been shared were reviewed and addressed also.
A statement from Fuze read: “Security is a top priority for Fuze and we appreciate Rapid7 identifying this issue and bringing it to our attention. When we were informed by the Rapid7 team of the issue, we took immediate action and have resolved the problem.”
As of Mar 1, all meeting recordings now appear to require password authentication in order to be viewed from Fuze's cloud-hosted web application via direct browsing or from the Fuze desktop and mobile clients. Fuze users are encouraged to update their Fuze client applications in order to take advantage of new access controls.