IBM researchers reported about three bugs in the Webex conferencing application that were recently fixed by Cisco engineers. The vulnerabilities allowed outsiders to join the conference and stay in the chat even after being kicked.
The vulnerabilities were discovered by IBM engineers when they audited tools that were used by the company during the coronavirus pandemic.The researchers say that the vulnerabilities allowed an attacker to join someone else’s conference as a ghost user, while other chat participants would not see him. In doing so, a hacker could gain access to audio and video content, chat itself, and use other Webex features.
Moreover, the attacker could remain in the chat even if he was kicked, and this allowed the attacker to collect information about users, such as their full names, email addresses, IP addresses.
The IBM specialists explain that the bugs were related to the implementation of the handshake process. For example, an attacker who knows the URL of a conference can connect to the Webex server, send modified packets, and manipulate the server to access the conference and collect information about its participants. A video demonstration of the attack can be seen below.
During testing, the researchers were able to make the vulnerabilities work in macOS, Windows, Webex Meetings for iOS, and the Webex Room Kit.
Fortunately, these issues only worked if the attacker knew the URL of the scheduled meeting as well as the unique Webex Personal Room URLs. Experts point out that attacking a Webex Personal Room can be even easier, as their addresses are built on a predictable combination of characters based on the name of the “room” owner and the name of the organization.
We have already mentioned that attackers could easily gain access to communication sessions in Cisco WebEx due to an API vulnerability. This vulnerability allows to listen other people’s conversations.
