Synopsys researchers discovered a pair of now-patched vulnerabilities in GOAutodial, call center management software used in more than 50,000 businesses.
"We all say that every business is a software business these days. And this is a really classic example of that," said Scott Tolley, a sales engineer at Synopsys who discovered the vulnerabilities.
Call centers are awash with consumer data and a critical component of business functions, whether that is in providing support, payment or other services. But call-center software and other back-end office software may be the source of several blind spots in cybersecurity, said James Wilde, global head of security strategy for SPHERE and a former head of security technology services for Barclays.
"These aren’t mainstream apps and tech, so they aren't actively being probed for vulnerabilities by third parties and threat actors," Wilde said, adding: "Vendors are not embracing strong vulnerability processes to actively assess their vulnerabilities, and not openly publishing these vulnerabilities."
The GOAutodial research found two problems in the API handling of PHP files. CVE-2021-43175 allows for unauthenticated access to PHP files without valid credentials. CVE-2021-43176 is an error in local file inclusion, allowing users to launch arbitrary code from files that exist within the GOAutodial system — including ones sent using instant message.
Synopsis praised GOAutodial's rapid handling of their vulnerability report. The disclosure process began the last week of September, with GOAutodial proposing a fix within a month.
Tolley said the discovery may lead him to do more extensive research into the space.
"This is the first example that I have looked at myself, and I am quite tempted to do a more systematic study of the ecosystem after this," he said. "Where you find something, it is likely that there are more things."