A flaw in Webex and Zoom let researchers snoop on users’ video calls

mood · Oct 1, 2019

A flaw in Webex and Zoom let researchers snoop on users’ video calls
October 1, 2019
https://techcrunch.com/2019/10/01/webex-zoom-bug-video-calls/

A team of security researchers found they could tap into Webex and Zoom video meetings because many weren’t protected with a code.

Researchers at Cequence, a startup focused on protecting applications from scraping and account takeovers, programmed a bot to cycle through lists of valid meeting IDs and get access to active conference calls. The vulnerability works because many companies and users don’t protect their meetings with a password [...]
By targeting the platforms’ APIs, they were able to automate the process.

The attack would not be silent, however: callers who successfully access a meeting are announced.
The researchers reported the flaws to both Cisco, which owns Webex, and Zoom in July. Both companies have since pushed out fixes.
Cisco said it was “not aware” of any malicious exploitation of the vulnerability on its platform. Zoom said it was “grateful” to the researchers, adding that it improved its server protections to prevent bot attacks.
Click to expand...

Cequence: Prying-Eye Vulnerability: Direct-to-API Enumeration Attack Enables Snooping

mood · Jan 25, 2020

Cisco Webex Vulnerability Exploited to Join Meetings Without a Password
January 25, 2020
https://www.securityweek.com/cisco-webex-vulnerability-exploited-join-meetings-without-password

The vulnerability, tracked as CVE-2020-3142 and classified as high severity, affected Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites, releases earlier than 39.11.5 and 40.1.3. However, Cisco says the fixes apply only to the sites and users are not required to update their mobile or desktop Webex Meetings applications.

“The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications. An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser. The browser will then request to launch the device’s Webex mobile application,” Cisco said in its advisory.
The networking giant has pointed out that while an attacker would have been able to join a password-protected meeting, they would have been seen by the other attendees.
Click to expand...

mood · Nov 18, 2020

Cisco fixes WebEx bugs allowing 'ghost' attackers in meetings
November 18, 2020
https://www.bleepingcomputer.com/ne...ex-bugs-allowing-ghost-attackers-in-meetings/

Cisco has fixed today three Webex Meetings security vulnerabilities that would have allowed unauthenticated remote attackers to join ongoing meetings as ghost participants.
Ghost attackers in your Webex meeting
Threat actors abusing the now patched flaws could become 'ghost' users capable of joining a meeting without being detected as IBM researchers discovered while analyzing Cisco's collaboration tool for vulnerabilities.
'Ghost' users are meeting participants that can't be seen in the user list and were not invited to the meeting, but they can hear, speak, and share media within the meeting.

The three bugs also enabled attackers to remain in the Webex meeting and maintain a bidirectional audio connection even after admins would remove them and access Webex users' information like email addresses and IP addresses from the meeting room lobby.
Click to expand...

When successfully exploited, IBM researchers said that the bugs would have allowed attackers to:

Join a Webex meeting as a ghost without being seen on the participant list with full access to audio, video, chat, and screen sharing capabilities (CVE-2020-3419)

Stay in a Webex meeting as a ghost after being expelled from it, maintaining audio connection (CVE-2020-3471)

Gain access to information on meeting attendees – including full names, email addresses, and IP addresses – from the meeting room lobby, even without being admitted to the call (CVE-2020-3441)

Click to expand...

IBM: IBM Works With Cisco to Exorcise Ghosts From Webex Meetings

During the rapid shift to work from home, IBM Research and IBM’s Office of the CISO took a deeper look at collaboration tools being used for day-to-day work to understand how they could impact sensitive meetings that were moving to virtual settings. The team analyzed Cisco Webex — IBM’s primary tool for remote meetings — and discovered three vulnerabilities.
Click to expand...

Log in or Sign up

A flaw in Webex and Zoom let researchers snoop on users’ video calls

mood Updates Team

mood Updates Team

mood Updates Team