Webex flaw allowed anyone to join private online meetings – no password required

Graham Cluley
Graham Cluley
@[email protected]

Webex flaw allowed anyone to join private online meetings - no password required
Cisco, the makers of Webex, had warned users of the online conferencing service that a vulnerability allowed unauthorised remote users to listen in on private online meetings – without having to enter a password.

The vulnerability, which was rated as high severity by Cisco in a security advisory it published on its website, could allow a complete stranger to snoop upon a private conversation. All that they would need would be the meeting’s ID number and a copy of the Webex mobile app on their iOS or Android smartphone.

A vulnerability in Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow an unauthenticated, remote attendee to join a password-protected meeting without providing the meeting password. The connection attempt must initiate from a Webex mobile application for either iOS or Android.

The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications. An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser. The browser will then request to launch the device’s Webex mobile application. A successful exploit could allow the unauthorized attendee to join the password-protected meeting.

Sign up to our free newsletter.
Security news, advice, and tips.

Thankfully, any unauthorised attendees would be visible in the attendee list of the meeting as a mobile attendee. So sharp-eyed legitimate participants in the online meeting might wonder who the interloper was.

Cisco says it has fixed the vulnerability on its cloud-based Cisco Webex Meetings Suite and Cisco Webex Meetings websites, and that no user action is required. Furthermore, the vulnerability was discovered internally by Cisco, whose security team say that they have no seen no public announcements of the vulnerability.

In short, they’re hoping that they spotted it before anyone else did.

Of course, proving 100% that no-one else ever exploited the flaw is a much bigger challenge.

Security vulnerabilities have been found in Webex’s software in the past, including one which saw its Android app potentially open a door for malicious attackers, spread a boobytrapped .SWF Flash file to other meeting participants, and most recently – earlier this month – steal credentials from users via malicious links.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.