Cisco Webex suffered from a vuln that could have allowed an attacker to access any account by simply copy-pasting a unique session token into a browser string.
Although the attack described by Trustwave relied on the attacker already having access to the victim's system, which reduces the likelihood that this vuln was deployed in the wild by malicious people, it is, nonetheless, not a good thing.
If a user installed the Webex desktop client and set it to automatically log in, the client saved a so-called "dump file" on the local machine. Within that memory-mapped file, Trustwave found, were plain-text strings containing the email account and URL used to host meetings from that account – along with the user's unique WebExAccessToken.
No privilege-based controls were applied to the dump file, meaning any user-level account could read it. Once the token was extracted from the dump file, researchers were able to make a crafted HTTP POST request to Webex's servers, mimicking a genuine connection attempt, which returned a one-time login ticket for live meetings.
And once the attacker had that login ticket, all they needed to do was paste it into a pre-formatted Webex meeting URL.
As Trustwave's Ziv Mador said: "Simply put, another user can loop over [genuine] sessions and try to open, read and save interesting contents for future inspection."
Mador continued: "Using the leaked information I was able to access my own account from another machine with a different IP address. It allowed me to see all meetings along with invited parties and meeting password (if set), download past meeting recordings and so on."
Recent updates to Webex are said to have fixed the problem and admins and users alike are urged to download and install them.
The Register has asked Cisco for comment on Trustwave's findings, which are due to be published as CVE-2020-3347.
Who's still using Webex? Not even Cisco: Judge orders IT giant to use rival Zoom for virtual patent trialREAD MORE
Webex, along with other videoconferencing platforms, has come under intense scrutiny since the start of the global COVID-19 pandemic earlier this year forced the entire world into remote working almost overnight.
Immediately before the March shutdown of the western world's economies, Cisco 'fessed up to a vuln that let anyone join a password-protected meeting, while in March it issued patches for a remote code execution vuln that allowed an attacker to run code contained in a suitably crafted video file using one of two Webex-specific file formats.
Meanwhile, in April, a US judge humiliated Switchzilla by refusing its pleas to use Webex for the remote hearing of a patent trial, instead ordering it onto arch-rival Zoom's platform. ®