RC Meeting exploit - Bad actor joins meeting to make free calls - Ideas for a fix?

  • 0
  • 1
  • Idea
  • Updated 6 days ago

I'm posting this to the forum both to get a feature request going as well as crowd source some ideas.

We recently had an unknown person join a recurring RingCentral Meeting and use the "invite by phone" feature to make some very expensive international calls. The RingCentrals Fraud department was awesome in catching it, turning off international calling for the meeting organizers account and alerting us via email (Go RC!). But now we're trying to figure out how to prevent this in the future. Our obvious first step was to remove international calling (which we had on by default) to at least stop international charges, but that doesn't stop domestic US calls.

I think this situation revealed a pretty genius way to exploit RC Meetings. The base URL is the same—all you have to do is increment through meeting numbers until you find a valid one and BAM free international or long distance calling all on someone else's dime!

The current meeting features of turning off "join before host" or "add password" would stop this, but also add some complexity that our internal users or external clients may find frustrating. For example we've often had a meeting scheduled a couple weeks out and the meeting organizer get sick or something. A substitute host will try to start the meeting only to be confronted with "waiting for host to start meeting" message and then have to quickly find a way to get a new meeting invite out to the participants list. After this happened with several client facing meetings our IT department recommended ALL meetings have "join before host" enabled. Likewise, I'm nervous that adding a password to all meetings will generate as much confusion and late meeting starts when someone has a meeting link, but not the password. Then there is trying to enforce this across our 800+ user base... Yep. 

The best idea we have so far is to request a feature to turn off the "invite" button within the meeting interface for participants and make it only available to hosts as well as the ability to set it globally and make exceptions for some users. This would stop bad actors from racking up international charges on our account and keep joining the meetings simple. Anyone else have a better idea? 
Photo of Fast

Fast

  • 92 Points 75 badge 2x thumb
  • curious

Posted 2 weeks ago

  • 0
  • 1
Photo of Taylor

Taylor

  • 1,856 Points 1k badge 2x thumb
Never knew of this problem but definitely something to be aware of. We always have join before host disabled, but with a smaller team it's not an issue.

My first thought here is that I remember seeing "schedule meetings for me" under a user's profile settings. Does this make the scheduler a host as well possibly? If so it could be a temporary workaround where the host schedules it, but the 'backup' host has permissions to schedule for the primary host. In the event that the primary is not available the backup could enable join before host (or re-configure the existing meeting) with minimal fuss. Just a thought.
Photo of Jeff Salisbury

Jeff Salisbury, Champion

  • 1,548 Points 1k badge 2x thumb

We use Join Before Host extensively like Fast does, so we would be vulnerable to the same activity. I like the idea of only allowing the host or co-host to be able to invite by phone.
Photo of Chris Verdin

Chris Verdin, Champion

  • 2,748 Points 2k badge 2x thumb
When you use the password option the link you send out will actually include the password in the link.  So they won't get prompted to enter a password.  It will get them right in like they usually do. However, if anyone joins manually by just going to https://meetings.ringcentral.com/j/14xxxxxxx it will then prompt them for a password.  

 
Photo of Fast

Fast

  • 72 Points
Thank you for this clarification Mr. Verdin. Anyone with the full link
https://meetings.ringcentral.com/j/149#######?pwd=xxxxxxxxx will NOT be prompted for the password, but someone joining by 
https://meetings.ringcentral.com/j/149####### WILL be prompted for the password.

Further, I also noticed that once in the meeting if you "copy URL" the passworded URL is copied. Also if anyone clicks the "invite" button the password to the meeting is displayed in the lower right corner of the invite windows that pops up for nice easy access.

Now, how to enforce this across the org...
How is the "invite by phone" option allowing the person to make outside calls? My understanding was that this feature only allows the person to connect to the conference.
Photo of Jeff Salisbury

Jeff Salisbury, Champion

  • 1,446 Points 1k badge 2x thumb
There are two options - one is the Call Me feature to have the system call the number you provide to join audio. The second option once you are in a meeting is to Invite by phone where you enter a phone number and the system calls that person so they can join the audio (including international numbers).
Photo of Jeff Salisbury

Jeff Salisbury, Champion

  • 1,548 Points 1k badge 2x thumb

This happened to one of my users in November - showed up as a spike in long distance charges, and through call logs found where a bunch of call outs were done to (876) phone numbers that correspond to Jamaica. The RC team disabled international LD for that user and are nice enough to generate a credit request. Their Fraud department said that if you are going to use a Personal Meeting ID (most of us do) and you have your default meetings set to allow Join Before Host, you definitely should have a meeting password set to prevent these types of attacks. I asked about potential feature changes to lock things down and they chose to not respond, so likely nothing imminent coming in near term releases.
Photo of Fast

Fast

  • 92 Points 75 badge 2x thumb
Well, maybe this post will help gain traction? The password option is a helpful work around, but I would like to see an enforceable option for admins.