A flaw in Webex and Zoom let researchers snoop on users’ video calls

mood · Oct 1, 2019

A flaw in Webex and Zoom let researchers snoop on users’ video calls
October 1, 2019
https://techcrunch.com/2019/10/01/webex-zoom-bug-video-calls/

A team of security researchers found they could tap into Webex and Zoom video meetings because many weren’t protected with a code.

Researchers at Cequence, a startup focused on protecting applications from scraping and account takeovers, programmed a bot to cycle through lists of valid meeting IDs and get access to active conference calls. The vulnerability works because many companies and users don’t protect their meetings with a password [...]
By targeting the platforms’ APIs, they were able to automate the process.

The attack would not be silent, however: callers who successfully access a meeting are announced.
The researchers reported the flaws to both Cisco, which owns Webex, and Zoom in July. Both companies have since pushed out fixes.
Cisco said it was “not aware” of any malicious exploitation of the vulnerability on its platform. Zoom said it was “grateful” to the researchers, adding that it improved its server protections to prevent bot attacks.
Click to expand...

Cequence: Prying-Eye Vulnerability: Direct-to-API Enumeration Attack Enables Snooping

mood · Jan 25, 2020

Cisco Webex Vulnerability Exploited to Join Meetings Without a Password
January 25, 2020
https://www.securityweek.com/cisco-webex-vulnerability-exploited-join-meetings-without-password

The vulnerability, tracked as CVE-2020-3142 and classified as high severity, affected Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites, releases earlier than 39.11.5 and 40.1.3. However, Cisco says the fixes apply only to the sites and users are not required to update their mobile or desktop Webex Meetings applications.

“The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications. An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser. The browser will then request to launch the device’s Webex mobile application,” Cisco said in its advisory.
The networking giant has pointed out that while an attacker would have been able to join a password-protected meeting, they would have been seen by the other attendees.
Click to expand...

Log in or Sign up

A flaw in Webex and Zoom let researchers snoop on users’ video calls

mood Updates Team

mood Updates Team

Citrix ShareFile Flaw Could Let Attackers Steal Corporate Secrets

FBI to Internet Users: Don’t Let Your Browser Remember Your Password

Zoom Fixes Flaw Opening Meetings to Hackers

TikTok Flaws Allowed Hackers to Delete Videos, Steal User Info

SonyLIV Fixes Flaw That Could Let Attackers Fetch Sensitive User Information

Log in or Sign up

A flaw in Webex and Zoom let researchers snoop on users’ video calls

mood Updates Team

mood Updates Team

Citrix ShareFile Flaw Could Let Attackers Steal Corporate Secrets

FBI to Internet Users: Don’t Let Your Browser Remember Your Password

Zoom Fixes Flaw Opening Meetings to Hackers

TikTok Flaws Allowed Hackers to Delete Videos, Steal User Info

SonyLIV Fixes Flaw That Could Let Attackers Fetch Sensitive User Information

Useful Searches