For those who haven't noticed it, RingCentral's mobile app has an "Express Link" sign-in feature.
The feature is mentioned in this KB article:
"Please note: If you’re logging with your mobile device, you may also have the option to sign in with an express link. If you choose to sign in with an express link, they will send you an email to the email address linked to your account to perform an express login. "
The way it works is very simple and also very dangerous: After entering an email address to sign in, instead of asking for password, the app instead offers to send you an email with a special "express link" which contains an authentication token. When the link is clicked, the mobile app is logged in automatically.
The idea behind this feature is to obviously make it easier for mobile users to sign in, as typing password on a mobile device is likely slower than a desktop keyboard. But unfortunately this is extremely risky and prone to abuse from an IT perspective.
I recently discovered this after being targeted by a phishing attack myself: I received 100% real emails coming from RingCentral themselves, with real links to the RingCentral website, asking me to "confirm" my sign in.
Obviously, the attacker can enter *any RC user's* email to initiate a login, and "Express Link" will proceeded to send a link to that email address.
It takes one click, just one click, and the attacker would have been able to sign in as the user on the attacker's mobile app.
Anyone who has worked in IT will understand that no matter how much you warn and educate your users, someone will click that link when you send it to enough of them, enough times.
The way it is implemented by RingCentral is even more dangerous than the common phishing attack schemes: in those attacks, the intruder has to send a fake email from a fake server ("spoofing") using a fake URL to lure the user into providing their credentials.
These typical phishing emails have a good chance of being blocked by a good email security system, and any vigilant user has a chance to inspect the URL of the link to realize that it's not from the right domain name. Finally, there is also the "multi-factor/2-factor authentication" mechanism to act as a final check if the credentials are ultimately compromised.
By contrast, the "Express Link" RingCentral sends out is 100% "real". It has a good chance of getting delivered right into the inbox, and the links in them point to the real ringcentral.com.
Of course, it has the standard warning message to remind the user that they should only click it if they expect it, and to call if they don't or suspect any wrong doing. By the way, the number provided isn't even a fraud hotline. It just leads to the standard support line, which is subject to a series of menus and options before the user can speak to a representative.
But again, someone out there, quite a few of them in this case, will just click that link. That's a fact. And their accounts will easily get compromised in the most effortless way for the attackers: they never even had to know their passwords or compromise their email accounts. It's like they "politely" asked to be in, and were then let in promptly, just like that.
The very idea that a link sent to one user's email box would allow any other user on the other side of the world to login without further authentication is outright dangerous. This design is deeply flawed and should have never been approved by RingCentral's security team.
So RingCentral, if you see this, please strongly considering removing this feature altogether or at least provide your customers with an option to disable it on the entire tenant.
If you're a RingCentral user, you're probably affected by this vulnerability unless your organization uses SSO (I assume this does not affect SSO tenants, but haven't tested). Please upvote this to protect yourself and other users in your organization.
|Product Line||RingCentral App|