Fuze is an enterprise, multi-platform voice, messaging, and collaboration service created by Fuze, Inc. It is described fully at the vendor's website. While much of the Fuze suite of applications are delivered as web-based SaaS components, there are endpoint client applications for a variety of desktop and mobile platforms.
This issue was discovered by Samuel Huckins of Rapid7 (that's me ), and is being disclosed in accordance with Rapid7's vulnerability disclosure policy.
Recorded Fuze meetings are saved to Fuze's cloud hosting service. They could be accessed by URLs such as "
Security is a top priority for Fuze and we appreciate Rapid7 identifying this issue and bringing it to our attention. When we were informed by the Rapid7 team of the issue, we took immediate action and have resolved the problem.
As of Mar 1, 2017, all meeting recordings now appear to require password authentication in order to be viewed from Fuze's cloud-hosted web application via direct browsing or from the Fuze desktop and mobile clients. This authentication control is configurable by the user via the client applications as of version 4.3.1 (released on Mar 10, 2017). Fuze users are encouraged to update their Fuze client applications in order to take advantage of new access controls. Additional options, such as downloading the recording locally, are available at https://account.fuzemeeting.com/#/recordings.
Thu, Feb 23, 2017: Discovered by Samuel Huckins of Rapid7.
Mon, Feb 27, 2017: Vulnerability verified by Rapid7.
Mon, Feb 27, 2017: Vulnerability details disclosed to Fuze.
Wed, Mar 01, 2017: Fuze disabled public access to meeting recordings.
Fri, Mar 10, 2017: Version 4.3.1 of Fuze endpoint client released, providing authentication controls for recorded meetings.
Tue, Mar 15, 2017: Vulnerability details disclosed to CERT/CC.
Tue, Mar 21, 2017: VU#590023 assigned by CERT/CC to track this issue.
Tue, Apr 25, 2017: CERT/CC and Rapid7 decided not to issue a CVE for this vulnerability. The issue was primarily on Fuze's servers, thus the end user didn't have to take any actions, and the issue has already been corrected.
Tue, May 02, 2017: Disclosed to the public