Technology giant Cisco is planning on rectifying three bugs in the Webex video conferencing app that can let cybercriminals sneak in and join Webex meetings as ghost users, unseen to other participants.
The flaws were revealed earlier this year by security experts from IBM, who carried out an assessment of remote working tools the Cisco was using within during the Covid-19 pandemic.
According to researchers, the three vulnerabilities, when combined, would have permitted an attacker to join a Webex meeting as a ghost user, invisible to other participants, but with full access to audio, video, chats, and screen sharing.
A hacker will also remain in a Webex meeting as a ghost audio user even after being barred from it, while they will also be able to obtain information on meeting participants, such as full names, email addresses, and IP addresses.
The experts said the vulnerabilities reside in the “handshake” procedure that occurs when new Webex meetings are set up.
“In our analysis, we identified the specific values of the client information that could be manipulated during the handshake process to make the attendee invisible on the participants’ panel,” the IBM research team said.
“We were able to demonstrate the ghost attendee issue on MacOS, Windows, and the iOS version of Webex Meetings applications, and Webex Room Kit appliance,” the researchers added.
However, IBM researchers say that “personal rooms may be easier to exploit because they are often based on a predictable combination of the room owner’s name and organization name.”