Cisco, the makers of Webex, had warned users of the online conferencing service that a vulnerability allowed unauthorised remote users to listen in on private online meetings – without having to enter a password.
The vulnerability, which was rated as high severity by Cisco in a security advisory it published on its website, could allow a complete stranger to snoop upon a private conversation. All that they would need would be the meeting’s ID number and a copy of the Webex mobile app on their iOS or Android smartphone.
A vulnerability in Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow an unauthenticated, remote attendee to join a password-protected meeting without providing the meeting password. The connection attempt must initiate from a Webex mobile application for either iOS or Android.
The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications. An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser. The browser will then request to launch the device’s Webex mobile application. A successful exploit could allow the unauthorized attendee to join the password-protected meeting.
Thankfully, any unauthorised attendees would be visible in the attendee list of the meeting as a mobile attendee. So sharp-eyed legitimate participants in the online meeting might wonder who the interloper was.
Cisco says it has fixed the vulnerability on its cloud-based Cisco Webex Meetings Suite and Cisco Webex Meetings websites, and that no user action is required. Furthermore, the vulnerability was discovered internally by Cisco, whose security team say that they have no seen no public announcements of the vulnerability.
In short, they’re hoping that they spotted it before anyone else did.
Of course, proving 100% that no-one else ever exploited the flaw is a much bigger challenge.
Security vulnerabilities have been found in Webex’s software in the past, including one which saw its Android app potentially open a door for malicious attackers, spread a boobytrapped .SWF Flash file to other meeting participants, and most recently – earlier this month – steal credentials from users via malicious links.