VoIP bods Fuze defuse triple whammy of portal security vulnerabilities

Messaging provider Fuze has resolved a trio of vulnerabilities in its TPN Handset Portal.

The access controls and authentication flaws, discovered by security tools firm Rapid7, created a means for hackers to obtain personal data about Fuze users ranging from phone numbers to email addresses and access credentials.

Once seized through brute-force attacks, this sensitive data could then be transmitted via cleartext transmission, without encryption, or stored by cybercriminals.

The first flaw, which involved improper access control, allowed attackers to enumerate through MAC addresses associated with registered handsets of Fuze users. Another flaw involved improper restriction of excessive authentication attempts, clearing the way for brute-force attacks.

The last of the three flaws involved prompts for passwords pushed over an unencrypted HTTP connection.

Fuze offers enterprises a multi-platform voice, messaging, and collaboration service. The company had fixed all three issues in early May, meaning Rapid7 could go public with its discoveries in a blog postthis week.

Chris Conry, CIO of Fuze, thanked Rapid7 for its responsible disclosure of security problems, adding that it has no evidence of hackers using the flaws.

Read more…

Source: The Register