Zero days in online meeting platforms.
Huntress has uncovered vulnerabilities affecting the virtual event platforms 6Connex and vFairs. In a webinar this morning, Huntress CEO Kyle Hanslovan and Senior Security Researcher John Hammond explained that they found the vulnerabilities because Huntress itself used these platforms to hold virtual events. Hanslovan and Hammond also reported an undisclosed data breach that impacted Axial, a popular business transaction platform for mid-sized businesses.
Vulnerabilities in virtual event platforms.
The first flaw, which affected 6Connex, the most popular virtual event platform. 6Connex was impacted by a supply chain vulnerability through Webcast.com. During 6Connex meetings, the platform would reach out to a webcast.com URL that contained a meeting ID. If a user visited this URL, they would see a JSON file that contained every participant's country, state, IP address, first and last names, address, phone number, password, company, and email address. The researchers found that if they changed the meeting ID in the URL, they could gain this information on participants in any other 6Connex meeting. Huntress notified Webcast in October 2020, and the company fixed the flaw within a week.
The second set of flaws affected vFairs, and allowed logged-in users to view other users' private information, including email addresses. Additionally, a user could update any other users' profile without permission. This bug could allow a user to launch a cross-site scripting attack against any chat room via users' profile descriptions. The researchers also found that users could exploit this flaw to upload a PHP file that would run on vFairs' servers. The researchers didn't go any further than this, since the severity of the vulnerability was clear enough.
Huntress reported this flaw in September 2020. VFairs was slower to respond than 6Connex, but eventually acknowledged Huntress's notification. It's still not clear if the flaw has been patched, however.
Data breach affects Axial.
Huntress also took the opportunity to report a data breach that affected Axial, the largest M&A transaction platform for small- to medium-sized businesses. The breach, which hadn’t previously been disclosed or reported, exposed "250k+ confidential details on SMB mergers and acquisitions, financing, and more." The data were briefly posted to Twitter before the social media platform deleted the posts and banned the user. The Twitter user who posted the data said Axial had "fully exposed their Jenkins server to the web, with no authentication and full access rights granted to anonymous users."
Hanslovan said he confirmed this claim, and that he was able to download 300 GB of data which included full access to the Axial's Jenkins build server. This in turn granted access to private keys for the company's Amazon S3 buckets, which stored client data..
Thoughts on supply chain attacks.
Hanslovan and Hammond concluded that these discoveries highlight the far-reaching impact of supply chain attacks. In the case of Axial, for example, Hanslovan explained that "Not only did Jenkins—because they failed to secure the build server—enable Axial to get hit by configuration management problem, Axial themselves was a supply chain problem to every one of their clients."