Disadvantages in access control and authentication systems, discovered by the Rapid7 security company, provided hackers with the ability to access personal data of Fuze users. Vulnerabilities allowed access to phone numbers, e-mail addresses, the name of the parent account, and a link to the administrative interface.

The first vulnerability is caused by insufficient access control during the output of confidential data. An attacker could view important data of other Fuze users by searching MAC addresses.

The second error was the inadequate limitation of excessive authentication attempts. Attackers could successfully implement bruteforce attack and pick up logins and passwords.

The last of the three disadvantages was using the HTTP protocol instead of HTTPS to authorize users.

Fuze offers enterprises a multi-platform service for calls, messaging and collaboration. In early May, the company eliminated all three vulnerabilities and gave Rapid7 permission to publish the study on its blog.