A security flaw within the popular Webex Video Conferencing platform allowed unauthorized or unauthenticated users to join private online meetings. Such a serious threat to privacy and gateway to potentially successful espionage attempts was patched by Webex parent company, Cisco Systems.
Another loophole discovered and subsequently patched by Cisco Systems allowed any unauthorized stranger to sneak inside virtual and private meetings, even those protected by password, and eavesdrop. The only components needed to successfully pull off the hack or attack were the meeting ID and a Webex mobile application.
Cisco Systems Discover Security Vulnerability In Webex Video Conferencing With Severity Rating Of 7.5:
The security flaw within Webex could be exploited by a remote attacker without needing any sort of authentication, indicated Cisco. An attacker would merely need the meeting ID and a Webex mobile application. Interestingly, both the iOS and Android mobile applications for Webex could be used to launch the attack, notified Cisco in a Friday advisory,
“An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser. The browser will then request to launch the device’s Webex mobile application. Next, the interloper can access the specific meeting via the mobile Webex app, no password required.”
— Meadow Mountain Tech (@meadowmttech) January 26, 2020
Cisco has figured out the root cause of the flaw. “The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications. An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser.”
The only aspect that would have exposed the eavesdropper was the list of attendees in the virtual meeting. The unauthorized attendees would be visible in the attendee list of the meeting as a mobile attendee. In other words, the presence of all the people can be detected, but it is for the administrator to tally the list against authorized personnel to identify unauthorized persons. If undetected, an attacker could easily eavesdrop on potentially secretive or critical business meeting details, reported ThreatPost.
Cisco Product Security Incident Response Team Patches Vulnerability In Webex:
Cisco Systems recently discovered and patched a security flaw with a CVSS score of 7.5 out of 10. Incidentally, the security vulnerability, officially tracked as CVE-2020-3142, was found during an internal investigation and resolution for another Cisco TAC support case. Cisco has added that there are no confirmed reports about the exposure or exploitation of the flaw, “The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements of the vulnerability that is described in this advisory.”
Webex flaw allowed anyone to join private online meetings – no password required https://t.co/F9rQ4UA2Mm pic.twitter.com/7uftEBe15T
— Graham Cluley (@gcluley) January 26, 2020
The vulnerable Cisco Systems Webex Video Conferencing platforms were Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites for versions earlier than 39.11.5 (for the former) and 40.1.3 (for the latter). Cisco fixed the vulnerability in versions 39.11.5 and later, The Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites version 40.1.3 and later are patched.