VoIP bods Fuze defuse triple whammy of portal security vulnerabilities

Messaging provider Fuze has resolved a trio of vulnerabilities in its TPN Handset Portal.

The access controls and authentication flaws, discovered by security tools firm Rapid7, created a means for hackers to obtain personal data about Fuze users ranging from phone numbers to email addresses and access credentials.

Once seized through brute-force attacks, this sensitive data could then be transmitted via cleartext transmission, without encryption, or stored by cybercriminals.

The first flaw, which involved improper access control, allowed attackers to enumerate through MAC addresses associated with registered handsets of Fuze users. Another flaw involved improper restriction of excessive authentication attempts, clearing the way for brute-force attacks.

The last of the three flaws involved prompts for passwords pushed over an unencrypted HTTP connection.

Fuze offers enterprises a multi-platform voice, messaging, and collaboration service. The company had fixed all three issues in early May, meaning Rapid7 could go public with its discoveries in a blog post this week.

Chris Conry, CIO of Fuze, thanked Rapid7 for its responsible disclosure of security problems, adding that it has no evidence of hackers using the flaws.

"As users of the entire Fuze platform, Rapid7's team identified security weaknesses and responsibly disclosed them to the Fuze security team," Conry said.

"In this case, while the exposure was a limited set of customer data, Fuze took immediate action upon receiving notification by Rapid7, and remediated the vulnerabilities with its handset provisioning service, in full, within two weeks." ®