M33tfinder: Disclosing Corporate Secrets via Videoconferences

Back to the list of Speakers and Sessions

Remotely and without authentication list the active conferences on a videoconferencing server, obtain meeting information and perform a bruteforce attack to access the information discussed in there

Video conferencing systems are increasingly used to talk about critical issues in corporate environments, but there are very few attacks and tools dedicated to them. Cisco Meeting Server or CMS is a software used to make video conferences, which allows users to connect to meetings through different clients or via WebRTC with a browser.

During a series of tests conducted with this software, we detected that remotely and without authentication it is possible to list the active conferences on a CMS server and obtain a large amount of information for each conference such as the name of the conference, ID, video address, passcode protection and more. After our report, in November 2018 Cisco published a security advisory associated with this vulnerability with CVE-2018-15446. We also detect that remotely and without authentication, in some cases it is possible to perform a bruteforce attack of the passcode in the conferences that have one, to obtain this numeric code and access the corresponding videoconference.

Based on this research, we developed two open source tools in Python: m33tfinder and m33tbreak that allow to automate this attack, knowing only the URL of the CMS server. An attacker using our tools could identify the URL of the CMS of a certain company, obtain the valid conferences, identify the conferences that discuss critical issues such as budgets, directive committees, board meetings and join the meetings as a guest. That way the attacker could access the critical information discussed in them or record them, using only a web browser.

In our talk, we will see the overall security of videoconferencing systems, the story of how we discovered the vulnerability, how to identify the Cisco Meeting Servers exposed on the Internet, the technique used to obtain information about the conferences and perform the bruteforce attack, a demo of the tools to carry out an attack on a CMS and the countermeasures we can take to protect ourselves from these attacks in case of administering or using this or another videoconferencing system.


Yamila Vanesa Levalle Security Researcher, ElevenPaths

Yamila Vanesa Levalle is an Information Systems Engineer, Security Researcher and Offensive Security Professional with more than 15 years of experience in Infosec. Over the years, she has discovered vulnerabilities in various applications and systems.

Yamila currently works as Security Researcher in ElevenPaths (Telefonica Cibersecurity Unit) where she specializes in offensive/defensive techniques, conducts researches, publishes articles on different information security issues and develop security tools in Python. She is an international security conferences speaker and has presented her researches at important events such as OWASP Latam Tour, Infosec UTN and Notpinkcon. She has also taught ethical hacking courses for women, CTF courses for beginners and several information security awareness and training courses and talks.