Network Security, Patch/Configuration Management, Vulnerability Management

Fuze fixes security lapses in portal site that could have exposed sensitive user data, credentials

Cloud-based unified communications services provider Fuze earlier this year repaired three vulnerabilities in a customer web portal that, if exploited, could have exposed sensitive user data and credentials.

Fuze automatically pushed fixes for this trio of bugs to its TPN Handset Portal back in April and May of 2017, after a Rapid7 user uncovered and privately disclosed the issues. But the details surrounding the vulnerabilities became public today after Rapid7 published a blog post about them..

According to Rapid7, the first vulnerability was an improper access control issue allowing attackers to "enumerate through MAC addresses associated with registered handsets of Fuze users," allowing them to "craft a URL that reveals details about this user" via HTTP. Such details included phone numbers, email addresses, parent account names and locations, and links to a user's' administrator interface. The URL for this admin interface contained the second vulnerability, as it prompted for a password over an unencrypted HTTP connection, allowing privileged attackers to capture this traffic.

Thirdly, authentication requests to the admin port were not rate limited, exposing it to brute-force attacks to capture credentials.

Fuze took numerous steps to resolve the problems, including requiring password authentication to access the TPN portal, encrypting traffic to the TPN portal, and introducing rate limiting for authentication attempts to the admin portal.

"As users of the entire Fuze platform, Rapid7's team identified security weaknesses and responsibly disclosed them to the Fuze security team," said Chris Conry, CIO of Fuze, in a company statement. "In this case, while the exposure was a limited set of customer data, Fuze took immediate action upon receiving notification by Rapid7, and remediated the vulnerabilities with its handset provisioning service, in full, within two weeks. Fuze has no evidence of any bad actors exploiting this vulnerability to compromise customer data."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.