Author: Michał Ogorzałek
You definitely must have attended (or maybe even organized?) online webinars – especially in current, online world. But have you wondered what kind of security issues may lurk in these platforms? We have – in the search for a webinar platform that would suit ourselves, we have tested the security of 14 of them.
As a result, in half of tested platforms we have identified high or critical vulnerabilities – among others various access control issues (for example allowing unprivileged attendees to become a host/presenter), and sensitive data leakage.
Alarming number of issues were identified within the very first minutes of testing – a red flag indicating the generic problem: insecure design and missing SSDLC. Reporting the security problems to vendors was far from perfect as well, to put it mildly.
The problem is not limited to just webinar and online meeting platforms, but also multitude of other web applications – which utilize websockets for instant two-way communication with the browser: commonly used for chat, helpdesk, online trading to mention a few. The chances are high the security best practices shared at the end of presentation will apply to your application as well.