Researchers have discovered attackers can take advantage of Webex Meetings API calls to enumerate Webex meeting numbers. Attackers can also launch similar “enumeration attacks” against Zoom platform for ongoing or future meetings.
Cisco confirmed that Shreyans Mehta of Cequence Security and the CQ Prime Research Team reported the issue to Cisco on July 24, 2019.
“The Prying-Eye vulnerability is an example of an enumeration attack that targets web conferencing APIs with a bot that cycles through (enumerates) and discovers valid numeric meeting IDs. If the common user practice of disabling security functionality or not assigning a password is followed, then the bad actor would be able to view or listen to an active meeting,” the researchers stated in a press release.
Cisco subsequently issued a security advisory labeled as “Informational.” However, no CVE’s were included in the update.
Cisco further noted that an attacker could use the response to an invoked API call to determine whether a meeting number is in use and whether meeting is password protected.
The company also provided password security guidance to prevent attacker snooping.
“The most effective step to strengthen the security of all meetings is to require a password. Passwords protect against unauthorized attendance because only users with access to the password are able to join,” Cisco recommended in the advisory.
Cisco further recommended that administrators setup sites to use the default configuration, whereby passwords are mandatory. In addition, users can review Cisco’s security guidelines in Cisco WebEx Best Practices for Secure Meetings for Site Administrators and Hosts.
In response to the researcher findings, Zoom also issued an account setting update “Password Default for Meeting and Webinar.”
As part of the update, Zoom will add three new “require a password” settings — when scheduling meetings, for instant meetings and for Personal Meeting ID (PMI).
“These settings will give account owners and admins additional control over meeting passwords across their users and their entire account,” Zoom stated in the advisory.