Cisco’s video conferencing service, Webex, has come under scrutiny following an investigation by Die Zeit. The study found that the metadata of numerous meetings, including those involving European governments and publicly traded companies, could be accessed by modifying the URL. This raised concerns about the security of Webex, especially for high-stakes meetings.
The compromised metadata included details such as the title, description, and host name of the video calls. Die Zeit was able to access data from various governments and companies across Europe, highlighting serious vulnerabilities in the Webex platform. While Webex is generally considered a secure option for video conferencing, the investigation revealed several shortcomings that could potentially compromise sensitive information.
One key issue identified was the lack of proper security measures for password-protected meetings. In some cases, users could bypass password protection by simply typing a hash. This flaw allowed unauthorized individuals to access confidential video calls, as demonstrated by Die Zeit’s infiltration of a meeting hosted by the German Social Democratic Party (SDP) and health insurer Barmer.
Following the publication of this report, Dutch public broadcaster NOS labeled Webex as an “unsafe meeting schedule,” prompting concerns among users about the platform’s security. However, the Dutch government confirmed that the vulnerability had been addressed and they would continue to use Webex for official meetings.
Die Zeit’s investigation also revealed a separate incident involving the German military and government leaking their Webex meeting IDs. Access to highly confidential video calls was possible through a local version of Webex operated by the German military, where meeting links were easily guessable. Although Cisco claimed that this issue only affected the local version and not the cloud-based variant, Die Zeit’s findings contradicted this assertion.
Despite the potential risk posed by the metadata breach, Die Zeit was unable to exploit the vulnerability beyond accessing meeting details. No calls were compromised in other countries, and the German government has initiated an investigation to address the issue. The lack of timely and complete communication from Cisco regarding the security flaw has raised concerns about the transparency of technology companies in handling such incidents.
In response to the findings, Cisco has since fixed the vulnerability that allowed for predictable meeting IDs in Webex. This has reinforced the security of the platform and underscored the importance of implementing robust security measures to protect sensitive data during video conferencing. Overall, while the Webex incident highlighted significant security lapses, the prompt resolution of the issue has helped maintain the platform’s reputation as a reliable option for virtual meetings.
Article Source
https://www.techzine.eu/blogs/privacy-compliance/120809/sensitive-metadata-cisco-webex-was-childs-play-to-find-but-how/