Stories
Slash Boxes
Comments

SoylentNews is people

Cisco Rolls Out Fix for Webex Flaws that Let Hackers Eavesdrop on Meetings

posted by Fnord666 on Monday November 23 2020, @03:55PM   Printer-friendly
from the watching-you dept.

upstart writes in with an IRC submission:

Cisco rolls out fix for Webex flaws that let hackers eavesdrop on meetings:

Cisco is rolling out fixes for three vulnerabilities in its Webex video-conference software that made it possible for interlopers to eavesdrop on meetings as a "ghost," meaning being able to view, listen, and more without being seen by the organizer or any of the attendees.

The vulnerabilities were discovered by IBM Research and the IBM's Office of the CISO, which analyzed Webex because it's the company's primary tool for remote meetings. The discovery comes as work-from-home routines have driven a more than fivefold increase in the use of Webex between February and June. At its peak, Webex hosted up to 4 million meetings in a single day.

The vulnerabilities made it possible for an attacker to:

  • Join a meeting as a ghost, in most cases with full access to audio, video, chat, and screen-sharing capabilities
  • Maintain an audio feed as a ghost even after being expelled by the meeting leader
  • Access full names, email addresses, and IP addresses of meeting attendees, even when not admitted to a conference room.

Cisco is in the process of rolling out a fix now for the vulnerabilities, which are tracked as CVE-2020-3441, CVE-2020-3471, and CVE-2020-3419.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Cisco Rolls Out Fix for Webex Flaws that Let Hackers Eavesdrop on Meetings | Log In/Create an Account | Top | 7 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 0) by Anonymous Coward on Monday November 23 2020, @04:31PM (5 children)

    by Anonymous Coward on Monday November 23 2020, @04:31PM (#1080713)

    Webex needs to die. It's been a constant source of security vulnerabilities in a tool literally designed to take over your computer remotely. The choice of browser/OS combinations required to get it to work is severely limiting. There are other video meeting/presentation applications available now that do a better job across more platforms. Every time I have to use Webex I feel like I'm about to surf porn with an un-patched version of IE. Just let it die.

    • (Score: 2) by ledow on Monday November 23 2020, @05:01PM (4 children)

      by ledow (5567) on Monday November 23 2020, @05:01PM (#1080722) Homepage

      I refuse to use any conferencing software that doesn't operate entirely inside my browser DOM.

      Weren't given access to the camera? Then you don't have it.
      Weren't given access to the mic? Then you don't have it.

      WebEx works just fine in a browser, as does Zoom, Google Meet, Teams, and all the others. They try to trick you into installing the software (red flag #1!), they then have full permission to your user account (red flag #2) and therefore could do anything, while allowing remote control/operation of themselves (you're out!).

      Inside a browser, they can do whatever any other website could already do anyway - request my camera, request my mic, send and receive information, but not escape the sandbox or even (nowadays) try to access the local filesystem.

      Stop falling for the "you must install our app" hype, it's just a way to put services and full-on executables into your computer and allow them constant 24/7 access to everything you do.

      And I'm far from paranoid, but when the alternative is "I'll just load that in my browser instead" you're an idiot to run it as a fully-fledged program with access to your entire user account.

      • (Score: 0) by Anonymous Coward on Monday November 23 2020, @05:07PM (2 children)

        by Anonymous Coward on Monday November 23 2020, @05:07PM (#1080726)

        Stop falling for the "you must install our app" hype

        and the kicker is, their "app" is just an electron app with its own chromium in it but without the actual sandbox ;)

        • (Score: 2) by Runaway1956 on Monday November 23 2020, @05:41PM (1 child)

          by Runaway1956 (2926) Subscriber Badge on Monday November 23 2020, @05:41PM (#1080737) Homepage Journal

          So, maybe install the app inside of a virtual box, which is, itself, completely sandboxed? Revoking permissions to a VM is quite simple, after all. More, turning the VM off is even simpler. And, your real machine is protected from anything and everything.

          --
          Abortion is the number one killed of children in the United States.

          • (Score: 0) by Anonymous Coward on Tuesday November 24 2020, @12:57PM

            by Anonymous Coward on Tuesday November 24 2020, @12:57PM (#1080964)
            Yeah and the VM + App might even use less RAM than Chrome ;)

      • (Score: 3, Interesting) by Taibhsear on Tuesday November 24 2020, @12:15PM

        by Taibhsear (1464) on Tuesday November 24 2020, @12:15PM (#1080957)

        WebEx works just fine in a browser

        On linux in firefox it only seems to work for your own personal room, one-on-one with someone. In a group meeting it fails to load and tells you to install the app, which you can't do, or jump through a bunch of hoops to install a 32-bit browser and obsolete software. I have to run it through a Windows VM for work/school since it's the only way I can get it to work properly/safely. For some reason they don't code the software in 64-bit which seems kind of ridiculous to me in 2020.

  • (Score: -1, Flamebait) by Anonymous Coward on Monday November 23 2020, @05:48PM

    by Anonymous Coward on Monday November 23 2020, @05:48PM (#1080738)

    on dumb whores would use this shit, so fuck them too.

(1)