The issue was discovered by security researcher Tavis Ormandy, who alerted the company privately before publishing a blog post discussing the situation. Ormandy is a member of Project Zero, a team assembled by Google to hunt down zero-day vulnerabilities.
WebEx uses a 64-character string to remotely start a meeting on a PC with the extension installed. This string simply needs to be included in the URL of a file or resource hosted by a website — it can even be tucked away in a HTML-based iframe tab, making it more difficult to detect.
Ormandy found that this string could be used for much more than just initializing a WebEx session. Malicious entities could run any code or command they liked on another user’s system, simply by having them visit a site that contained this string while using the Chrome browser with the WebEx extension running.
This particular vulnerability had the potential to be catastrophic, given that it targeted a service that’s commonly used in an enterprise setting. Security researcher Martijn Grooten noted that the exploit could have caused chaos if it were combined with a ransomware attack, commenting on the situation in a report by Ars Technica.
Unfortunately, there are still some lingering worries about the security of the extension. Specifically, there are concerns that attackers would be able to take advantage of the gap in its security if Cisco’s WebEx website was to suffer a cross-site scripting vulnerability.
For now, the best recourse is to ensure that all installations of the WebEx extension have been updated to version 1.0.3. This patch should have applied automatically, but users can check for themselves by accessing the Extensions menu in Chrome.
