On Thursday afternoon, Nov. 15, 2018, Rapid7 learned of a potential security issue with our corporate voicemail system, reported by security researcher Kristian Hermansen. Mr. Hermansen stated that several Rapid7 voicemail boxes were accessible. After investigating, we determined that the default voicemail password set on our corporate phones matched the last four digits of the respective phone number, and users are not prompted to change their voicemail PIN upon receiving a phone number. Without such a change, successfully logging into a phone’s voicemail allows someone to listen to voicemail messages and change voicemail greetings.
Rapid7 thanks Kristian Hermansen for alerting us to this issue.
Unfortunately, default passwords for voicemail systems are not unusual, and we’d recommend other IT teams check their voicemail and similar IT infrastructure for the presence of default credentials.
We have identified this issue as an instance of CWE-521: Weak Password Requirements and CWE-262: Not Using Password Aging. Following our investigation, we have taken the following steps to address these concerns:
- Reset all voicemail PINs for Rapid7 phone numbers to avoid the easily guessed default PIN.
- Contacted our phone system provider to disclose this issue to them and to recommend keeping voicemail disabled until users of their system use their phone for the first time, forcing them to set a secure PIN so the default PIN is no longer being used.
Security research is core to Rapid7 and who we are as a company. We take security issues very seriously and abide by a vulnerability disclosure policy of our own, which you can read about here. We appreciate the efforts of researchers and believe, when done with good intent and coordination, research leads to better security outcomes.