At a time when most organizations have rushed to take their events virtual, multiple zero-day vulnerabilities found in event platforms frequented by the Fortune 500 offer hackers access to personal and corporate information.
Researchers at Huntress have uncovered software flaws and misconfigurations in two of the top five virtual event platforms: VFairs, which counts among its customers Ford, T-Mobile, IEEE and Pearson, and 6Connex. Among the issues identified are information disclosure or personal identifiable information leakage, direct access to databases and potential remote code execution.
“At this point, we can’t predict whether information was actively stolen or compromised by attackers or unauthorized users,” Huntress Senior Security Researcher John Hammond wrote in a blog post following a webinar aimed at managed service providers that revealed the company’s research.
“But it certainly was possible, and these types of vulnerabilities could very well be present in many other online conferencing platforms,” he wrote, pointing to reports that “a virtual job fair for the intelligence community hosted on the 6Connex platform [last fall] exposed job seekers’ identities and social media profiles.”
Huntress reported its findings to VFairs and 6Connex and both platforms have since patched the vulnerabilities.
The security firm also found a large small and medium business supply chain breach that disclosed more than 250,000 confidential details on SMB mergers and acquisitions, financing and the like. “A huge amount of sensitive and confidential financing information was leaked from Axial, a platform for buying, selling, advising and financing private companies — all due to neglect of basic security measures,” Hammond wrote, noting that a Twitter thread recounting the breach had been removed and the account banned.