A flaw in WebEx allows you to access the complete scheme of a company. Some time ago, Karl Fosaaen, an expert in digital forensics published a very interesting research on federated services and Skype for Companies. One of the attack vectors was to be able to access the address books of other companies and send direct messages from Skype for business, including all the features that Skype for Business has, like seeing when there are other users online. Something similar has been discovered in Cisco WebEx. WebEx is used by thousands of companies around the world.
It is a videoconferencing platform that allows customers to use domains such as “companyname.webex.com” to host their public meeting rooms.
A very useful feature is the function to enable personal meeting rooms. Each employee receives a personal meeting room so that they can organize meetings or conference calls in their personal room through WebEx. Employees can share the link in their personal meeting room with those they wish to communicate with.
According to specialists in digital forensics from the International Institute of Cyber Security, a commonly used link is: “companyname.webex.com/meet/userid”. The user ID is usually the user name or the email address of the domain, more or less a few characters. Once you know the name scheme of the personal rooms of a company, you can now enter the personal room of anyone, as the user wants, from any place you want.
When navigating a link in the personal meeting room, this page is displayed:
Once you enter the details that the user desires, you are redirected directly to the personal room. Best of all is that if that person is not currently in your room, we are presented this:
Once you click on ‘Notify’, an email will be sent to the owner of the personal room. This email is generated and sent from email@example.com. This example used a false name, but it could have been any example within the organization.
What does this allow to do?
- Enumerating valid user names direct
- Access to any person within the company
How do I know if a company is vulnerable to this error?
- According to experts in digital forensics, you must verify the link URL of your personal room by entering the configuration of Webex
- Try to access that link from a computer outside your network, if you can enter the personal room, is vulnerable
What can be done about it?
- Depending on the settings, you can change the URL of your personal room
- Recommend to your IT department change the room ID
A quick subdomain enumeration on webex.com discovered thousands of domains for companies that use WebEx this way.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.