Researchers at Huntress uncovered vulnerabilities at two of the nation's top virtual event platforms — including Webcasts.com, which works with integrated customers at 6Connex — where personally identifiable information, including names, emails and IP addresses were leaked during live events.
Researchers attending events through a platform called VFairs were able to access other attendee profiles, a flaw that opened up the possibility of more nefarious activity including remote code execution and cross scripting attacks.
These virtual event platforms have been used in certain cases by top companies and government agencies, including the U.S. Food and Drug Administration, Ford, Google and labs for COVID-19 research, according to Huntress officials. Both VFairs and 6Connex were contacted by Huntress researchers and the vulnerabilities have since been patched.
The flaws uncovered in these virtual event platforms raise questions about supply chain vulnerabilities, data protection and how sensitive data from Fortune 500 companies and critical government agencies can become vulnerable to bad actors, according to researchers.
Virtual platforms have proliferated across the U.S. and in numerous other countries, as the COVID-19 pandemic forced companies to transition many of their workers to operate remotely with live meetings and events canceled. Data from Bizzabo shows 93% of event organizers plan to invest in virtual events moving forward.
These types of vulnerabilities go well beyond event platforms, according to Huntress Co-Founder and CEO Kyle Hanslovan, and have been found in other virtual platforms that companies use for even more sensitive business applications.
For example, a site called Axial, which is a mergers and acquisitions platform for buying, selling and financing mid-market companies, had a similar vulnerability where hackers dumped more than 250,000 confidential documents.
Information on the incident was shared on a hacker forum on Telegram in early January and later posted to Twitter, according to Huntress researchers. Axial did not immediately respond to Cybersecurity Dive's request for comment.
Hanslovan argues thousands of small- to mid-sized companies are vulnerable to attacks like this and the general public never hears about them.
"The supply chain threat has always been there" he said. "We're just driving some of the awareness."