Fuze's customer portal for its handset provisioning service contained numerous security flaws that attackers could have exploited to steal user data such as  phone numbers and email addresses.
Fuze's customer portal for its handset provisioning service contained numerous security flaws that attackers could have exploited to steal user data such as phone numbers and email addresses.

Cloud-based unified communications services provider Fuze earlier this year repaired three vulnerabilities in a customer web portal that, if exploited, could have exposed sensitive user data and credentials.

Fuze automatically pushed fixes for this trio of bugs to its TPN Handset Portal back in April and May of 2017, after a Rapid7 user uncovered and privately disclosed the issues. But the details surrounding the vulnerabilities became public today after Rapid7 published a blog post about them..

According to Rapid7, the first vulnerability was an improper access control issue allowing attackers to "enumerate through MAC addresses associated with registered handsets of Fuze users," allowing them to "craft a URL that reveals details about this user" via HTTP. Such details included phone numbers, email addresses, parent account names and locations, and links to a user's' administrator interface. The URL for this admin interface contained the second vulnerability, as it prompted for a password over an unencrypted HTTP connection, allowing privileged attackers to capture this traffic.

Thirdly, authentication requests to the admin port were not rate limited, exposing it to brute-force attacks to capture credentials.

Fuze took numerous steps to resolve the problems, including requiring password authentication to access the TPN portal, encrypting traffic to the TPN portal, and introducing rate limiting for authentication attempts to the admin portal.

"As users of the entire Fuze platform, Rapid7's team identified security weaknesses and responsibly disclosed them to the Fuze security team," said Chris Conry, CIO of Fuze, in a company statement. "In this case, while the exposure was a limited set of customer data, Fuze took immediate action upon receiving notification by Rapid7, and remediated the vulnerabilities with its handset provisioning service, in full, within two weeks. Fuze has no evidence of any bad actors exploiting this vulnerability to compromise customer data."