A critical flaw in the video conferencing software of the Quebec Liberal Party (PLQ) − a Canadian federalist provincial political party − allowed a user to spy on and hear the strategy discussions of the party at its premises and even access the live video camera feeds.
But luckily, the unknown white hat hacker who discovered the flaw alerted the PLQ staff of the security issue, showing them some videos of the discussions held at the party headquarters as a proof-of-concept.
What if the hacker was having a malicious intent? He could have spied on the party's video feeds covertly and could have handed over the feeds and sensitive information, along with the working intrusion bug, to the opposition party for monetary benefits. It seems like the hacker spied on video conference meetings between PLQ's Quebec and Montreal branches. According to the hacker, the PLQ's software not only contained a security vulnerability but also used the factory default password.
"It was just too easy. It is as if they had stuck their PIN on their credit card," said the local media sources. "They are not careful [...] If it falls into the hands of someone else, who knows what can happen." The hacker, who want to remain anonymous, said he accessed the party's video feeds during PLQ meetings, logged into the video conferencing software several times as well as observed and listened to PLQ discussion on different occasions at its premises.
The hacker told about some of the topics discussed in the meetings. He also started and showed the video feed from PLQ's cameras on demand, and provided screenshots in order to validate his claims. The party officials confirmed the data breach and took the bug report by the hacker seriously, though they said that no sensitive or nation-level issue was ever discussed in those meetings.
"We take this information very seriously," said Maxime Roy, the director of communications. "We already have a team of experts working to understand what happened and plug the computer breach on the most video conferencing system as quickly as possible." After thoroughly investigating the issue, the PLQ officials fixed the bug and had changed the default password of their video conferencing software; the officials told the reporter.