A vulnerability in Cisco Webex Meetings Cloud allowed a German journalist to discover links to video conference meetings conducted by the Bundeswehr and the Social Democratic Party of Germany. The bug also affected other organizations using the Webex cloud service, allowing access to information about past and future meetings with various government offices and companies in multiple countries.
The vulnerability was discovered by Netzbegrünung and verified by Eva Wolfangel of ZEIT Online. It was caused by Cisco not using random numbers to assign meeting numbers, making it possible to retrieve metadata through a simple web browser. This posed a potential security risk as spies and criminals could benefit from accessing information about who is discussing what, when, and for how long.
Wolfangel was able to access some of the meetings, even if passwords were required, by using a trick to join via the browser or Webex app. Cisco acknowledged the issue and implemented fixes in their Webex Meetings platform in May 2024. The company confirmed that the bugs have been fixed, and they have not observed any further attempts to exploit the vulnerability.
Netzbegrünung board member Max Pfeuffer confirmed that the method used to find meetings no longer works after the fixes were deployed by Cisco. This incident highlights the importance of addressing vulnerabilities promptly to prevent unauthorized access to sensitive information shared during video conference meetings.
Article Source
https://www.helpnetsecurity.com/2024/06/05/cisco-webex-cloud-vulnerability/