Skip to content
Techzine Global
  • Home
  • Topstories
  • Topics
    • Analytics
    • Applications
    • Collaboration
    • Data Management
    • Devices
    • Devops
    • Infrastructure
    • Privacy & Compliance
    • Security
  • Insights
    • All Insights
    • Agentic AI
    • Analytics
    • Cloud ERP
    • Generative AI
    • IT in Retail
    • NIS2
    • RSAC 2025 Conference
    • Security Platforms
    • SentinelOne
  • More
    • Become a partner
    • About us
    • Contact us
    • Terms and conditions
    • Privacy Policy
  • Techzine Global
  • Techzine Netherlands
  • Techzine Belgium
  • Techzine TV
  • ICTMagazine Netherlands
  • ICTMagazine Belgium
Techzine » Blogs » Privacy & Compliance » Sensitive metadata Cisco Webex was ‘child’s play’ to find, but how?
5 min Privacy & Compliance

Sensitive metadata Cisco Webex was ‘child’s play’ to find, but how?

Erik van KlinkenJune 6, 2024 11:38 amJune 10, 2024
Sensitive metadata Cisco Webex was ‘child’s play’ to find, but how?

Cisco’s videoconferencing service Webex is under fire. Research from Die Zeit shows that metadata from numerous meetings was accessible just by modifying the URL. This included data on calls from governments in the Netherlands, Germany and elsewhere in Europe, in addition to publically traded companies. What exactly was going on?

The metadata in question involved the title and description of the video call, in addition to the name of the host. Die Zeit obtained data from governments and companies in Germany, the Netherlands, Italy, Austria, France, Switzerland, Ireland and Denmark. Hundreds of thousands of meetings are involved, although German journalist of Die Zeit Eva Wolfangel managed to actually enter a protected conversation only twice. The German Social Democratic Party (SPD) and health insurer Barmer were the affected parties.

Webex is generally seen as a more secure alternative to Microsoft Teams and Zoom. Nevertheless, governments and companies obviously prefer to meet physically when dealing with highly sensitive information.

The Die Zeit study shows several shortcomings in Webex. For example, a password-protected Webex meeting was not always actually secure. Users who did not know the code could get in just by typing a hash. Because the SPD’s Webex call was by telephone, no one could tell that Wolfangel was present. Obviously, in closed video meetings with a handful of participants, such a compromise would quickly be noticed.

Step 2 of investigation

Wolfangel spoke about her findings to other outlets and previously shared the information on Zeit Online. Due to the incident, Dutch public broadcaster NOS described Webex as an “unsafe meeting program” this morning. To know exactly why this is a rather premature conclusion, Die Zeit’s investigation should be placed in a somewhat larger context. Incidentally, the Dutch government says it will continue to use Webex because the bug has been fixed.

Wolfangel already published an article in early May describing that the German army (the Bundeswehr) and the government were leaking their own Webex Meeting IDs. Information about video calls could be accessed online, even if they were highly confidential. The application in use was an on-prem version of Webex, operated by the German military. The links on this iteration of Webex were easy to guess: anyone with one link could find a link to another meeting with a single number change. According to Cisco, this was not possible with the cloud variant in use elsewhere, but this was disproven by Wolfanger. The cloud version generates a random 9- to 11-digit number for the links, Cisco stated, but Die Zeit’s findings refute this.

For months, Die Zeit managed to gather information about online conversations from several European governments and companies in this way. One shared this with Cisco, which in turn asked about the exact methodology used to find the initial links. Die Zeit did not do so (nor does Wolfangel explain the precise methodology in the new article), so the American company could not state exactly how the investigative mechanism exploited the bug. As of May 28, the Webex bug was nevertheless fixed and would no longer use predictable numbers for each scheduled call.

Misconfiguration?

We do not question that the German news site was able to access the Webex data. However, the explanation raises many questions that remain unanswered on a crucial point. Access to metadata is worrisome, since (as other media have pointed out) spies and other actors could use this information for rogue purposes. For example, a country like Russia or China could find out whether certain covert activities of theirs are on the radar of a defense ministry in Europe, to name just one example.

Despite obtaining the metadata of hundreds of thousands of video calls, Wolfangel, as mentioned, only managed to get in on two calls. These are definitely niche exceptions, where the integrity of Webex an sich is not in question. According to Cisco, the only “observable attempts” to exploit the vulnerability were from the Die Zeit investigation. In addition, the standard configuration of Webex requires hosts to set up a password.

No Webex calls were compromised in other countries, apart from metadata held by the German news organization. Dutch State Secretary Van Huffelen is launching an investigation, she announced via a letter to the nation’s parliament. The main concern is that the government had to learn about the Webex incident through the German press and not Cisco. However, as mentioned, the latter was not fully aware of Die Zeit’s method, something that stands in the way of a clear advisory. We have previously reported on public blogs by Microsoft that later turned out to be inaccurate, which that company received fiery criticism from the U.S. government. The issue at hand, then, is for tech companies to deliver their security communications in a timely, accurate and complete manner. To do so, they must be fully informed by external reports, which did not seem to be the case here.

Solutions

Getting back to what Cisco is to blame for: the fact that there were no random numbers for scheduled meetings is a clear security error. Sensitive data should never be found with a simple link change. However, this has since been fixed, leaving Webex to remain a relatively secure meeting software. Second, Die Zeit’s earlier piece on publicly available links from the German government shows where crucial mistakes are being made on this front. If meeting IDs can be found online, something else is already going badly wrong.

Also read: Does Google’s SEO stand for Scam Everyone Openly? -update

Tags:

Cisco / metadata / WebEx

"*" indicates required fields

Stay tuned, subscribe!

Nieuwsbrieven*
This field is for validation purposes and should be left unchanged.

Related

AI agents are coming to Cisco’s Webex

Webex also gets into spatial computing with Vision Pro app

Zoom and Microsoft plan to shake up hybrid meetings, Cisco doesn’t

Cisco doubles down on Webex: new updates change it fundamentally

Editor picks

US stake in Intel aims to prevent sale of foundry division

The US government is investing $8.9 billion (€7.6 billion) in Intel...

Red Hat strives for simplicity in an ever more complex IT world

You'd think the IT world would be one that's used to change. Yet inno...

Cloudsmith ML model registry lays down the law

Northern Ireland’s burgeoning tech scene is home to Cloudsmith, an ...

Data breach at Dutch lab even bigger: potentially millions of victims

The data breach at Clinical Diagnostics appears to be even larger tha...

Techzine.tv

SAP Sapphire Orlando: Unveiling a new pricing strategy

SAP Sapphire Orlando: Unveiling a new pricing strategy

Global cancer research needs a data platform that can support it

Global cancer research needs a data platform that can support it

How VMware VCF 9 and Tanzu simplify enterprise automation

How VMware VCF 9 and Tanzu simplify enterprise automation

Rise with SAP vs Grow with SAP: the different SAP ERP journeys

Rise with SAP vs Grow with SAP: the different SAP ERP journeys

Read more on Privacy & Compliance

Bunq bank hit with €2.6M fine for insufficient money laundering monitoring

Bunq bank hit with €2.6M fine for insufficient money laundering monitoring

Internet bank Bunq has been fined €2.6 million for inadequate money laundering controls between January 202...

Erik van Klinken August 25, 2025
The sovereign cloud offers no guarantees, how can it do so?
Top story

The sovereign cloud offers no guarantees, how can it do so?

Using the public cloud inherently requires a degree of trust in the chosen provider. Critical industries and ...

Erik van Klinken February 19, 2025
China tries its hand at advanced AI chips without Nvidia: will it succeed?
Top story

China tries its hand at advanced AI chips without Nvidia: will it succeed?

Vendor lock-in is a ubiquitous problem. Anyone looking for AI chips will find it difficult to bypass Nvidia. ...

Erik van Klinken 14 hours ago
Trump wants to punish EU officials over DSA

Trump wants to punish EU officials over DSA

President Donald Trump's administration is considering sanctions against European officials involved in the i...

Mels Dees August 26, 2025

Expert Talks

The AI productivity mirage: why leaders are aiming at the wrong target

The AI productivity mirage: why leaders are aiming at the wrong target

In the never-ending quest for developer productivity gains, a new def...

Meeting future workload demands: the case for emerging memory technologies

Meeting future workload demands: the case for emerging memory technologies

It often feels as though memory is an outlier in the technology world...

How AI and automation are redefining ROI in the enterprise

Today’s data and business analysts are equipped with a wide array o...

Enhancing video encoding: The AV1 support in the new ARTPEC-9 System-on-Chip

In an era where video security and digital technologies are evolving ...

Tech calendar

NULLCON Berlin 2025

September 4, 2025 Courtyard By Marriott, Berlin City Center

bit summit

September 4, 2025 Hamburg

GITEX DIGI_HEALTH 5.0 - Thailand

September 10, 2025 BITEC Bangkok, Thailand

VeeamON Tour 2025

September 18, 2025 Driebergen-Rijsenburg

IT Arena

September 26, 2025 Lviv, Ukraine

Innovation Week 2025

October 9, 2025 Prague

Whitepapers

Experience Synology’s latest enterprise backup solution

Experience Synology’s latest enterprise backup solution

How do you ensure your company data is both secure and quickly recove...

How to choose the right Enterprise Linux platform?

How to choose the right Enterprise Linux platform?

"A Buyer's Guide to Enterprise Linux" comprehensively analyzes the mo...

Enhance your data protection strategy for 2025

The Data Protection Guide 2025 explores the essential strategies and...

Strengthen your cybersecurity with DNS best practices

The white paper "DNS Best Practices" by Infoblox presents essential g...

Techzine Global

Techzine focusses on IT professionals and business decision makers by publishing the latest IT news and background stories. The goal is to help IT professionals get acquainted with new innovative products and services, but also to offer in-depth information to help them understand products and services better.

Follow us

Twitter
LinkedIn
YouTube

© 2025 Dolphin Publications B.V.
All rights reserved.

Techzine Service

  • Become a partner
  • Advertising
  • About Us
  • Contact
  • Terms & Conditions
  • Privacy Statement