Anybody can join your private Webex meetings without a password

Just like every single week, a new security flaw report has appeared on Webex, Cisco’s video conferencing platform. The technology company has released a report, crafted by its vulnerability testing team, on a newly discovered flaw. If exploited, this vulnerability could allow a remote hacker to access a video conferencing session, no password needed.

According to the report published by Cisco, this is a highly severe flaw and all a threat actor requires for its exploitation is to know the Webex session identification number, in addition to installing the service’s mobile app in an iOS or Android smartphone.

In its vulnerability testing report, Cisco mentions that the flaw exists due to unintentional exposure of information during the process of entering a Webex session in its mobile version: “An unauthorized participant could exploit the vulnerability to access a session just by knowing a session ID or URL from the browser of a mobile device.”

The exploitation of this flaw is a trivial process and requires minimal resources, although it is not all bad news. Cisco notes that any threat actor that exploits the flaw and manages to access a Webex session will be visible in the list of participants in the video conference, so that any legitimate user should effortlessly detect the intrusion into the session.

Cisco vulnerability testing team claims that the flaw has already been fixed in Cisco Webex Meetings Suite and Cisco Webex Meetings, which are cloud-based, so service users will no longer have to perform additional actions for its correction. The company concluded its message by mentioning that no cases of exploitation have been reported in the wild.

The International Institute of Cyber Security (IICS) mentions that it is highly likely that the flaw was detected before the threat actors found it. However, there is still a complex task for Cisco, which is to investigate and determine in a reliable way that the vulnerability was not exploited by any malicious user.

Multiple vulnerabilities in mobile versions of Webex have been previously reported. A few months ago a flaw was found in the version of Webex for Android; exploiting this vulnerability allowed attackers to extract login credentials using links to malware-plagued sites.