Just like every single week, a new security flaw report has appeared on Webex, Cisco’s video conferencing platform. The technology company has released a report, crafted by its vulnerability testing team, on a newly discovered flaw. If exploited, this vulnerability could allow a remote hacker to access a video conferencing session, no password needed.
According to the report published by Cisco, this
is a highly severe flaw and all a threat actor requires for its exploitation is
to know the Webex session identification number, in addition to installing the
service’s mobile app in an iOS or Android
In its vulnerability testing report, Cisco
mentions that the flaw exists due to unintentional exposure of information
during the process of entering a Webex session in its mobile version: “An
unauthorized participant could exploit the vulnerability to access a session just
by knowing a session ID or URL from the browser of a mobile device.”
The exploitation of this flaw is a trivial
process and requires minimal resources, although it is not all bad news. Cisco
notes that any threat actor that exploits the flaw and manages to access a
Webex session will be visible in the list of participants in the video
conference, so that any legitimate user should effortlessly detect the
intrusion into the session.
Cisco vulnerability testing team claims that
the flaw has already been fixed in Cisco Webex Meetings Suite and Cisco Webex
Meetings, which are cloud-based, so service users will no longer have to perform
additional actions for its correction. The company concluded its message by
mentioning that no cases of exploitation have been reported in the wild.
The International Institute of Cyber Security (IICS)
mentions that it is highly likely that the flaw was detected before the threat
actors found it. However, there is still a complex task for Cisco, which is to
investigate and determine in a reliable way that the vulnerability was not
exploited by any malicious user.
Multiple vulnerabilities in mobile versions of
Webex have been previously reported. A few months ago a flaw was found in the
version of Webex for Android; exploiting this vulnerability allowed attackers
to extract login credentials using links to malware-plagued sites.