Cisco’s videoconferencing service Webex is under fire. Research from Die Zeit shows that metadata from numerous meetings was accessible just by modifying the URL. This included data on calls from governments in the Netherlands, Germany and elsewhere in Europe, in addition to publically traded companies. What exactly was going on?
The metadata in question involved the title and description of the video call, in addition to the name of the host. Die Zeit obtained data from governments and companies in Germany, the Netherlands, Italy, Austria, France, Switzerland, Ireland and Denmark. Hundreds of thousands of meetings are involved, although German journalist of Die Zeit Eva Wolfangel managed to actually enter a protected conversation only twice. The German Social Democratic Party (SPD) and health insurer Barmer were the affected parties.
Webex is generally seen as a more secure alternative to Microsoft Teams and Zoom. Nevertheless, governments and companies obviously prefer to meet physically when dealing with highly sensitive information.
The Die Zeit study shows several shortcomings in Webex. For example, a password-protected Webex meeting was not always actually secure. Users who did not know the code could get in just by typing a hash. Because the SPD’s Webex call was by telephone, no one could tell that Wolfangel was present. Obviously, in closed video meetings with a handful of participants, such a compromise would quickly be noticed.
Step 2 of investigation
Wolfangel spoke about her findings to other outlets and previously shared the information on Zeit Online. Due to the incident, Dutch public broadcaster NOS described Webex as an “unsafe meeting program” this morning. To know exactly why this is a rather premature conclusion, Die Zeit’s investigation should be placed in a somewhat larger context. Incidentally, the Dutch government says it will continue to use Webex because the bug has been fixed.
Wolfangel already published an article in early May describing that the German army (the Bundeswehr) and the government were leaking their own Webex Meeting IDs. Information about video calls could be accessed online, even if they were highly confidential. The application in use was an on-prem version of Webex, operated by the German military. The links on this iteration of Webex were easy to guess: anyone with one link could find a link to another meeting with a single number change. According to Cisco, this was not possible with the cloud variant in use elsewhere, but this was disproven by Wolfanger. The cloud version generates a random 9- to 11-digit number for the links, Cisco stated, but Die Zeit’s findings refute this.
For months, Die Zeit managed to gather information about online conversations from several European governments and companies in this way. One shared this with Cisco, which in turn asked about the exact methodology used to find the initial links. Die Zeit did not do so (nor does Wolfangel explain the precise methodology in the new article), so the American company could not state exactly how the investigative mechanism exploited the bug. As of May 28, the Webex bug was nevertheless fixed and would no longer use predictable numbers for each scheduled call.
Misconfiguration?
We do not question that the German news site was able to access the Webex data. However, the explanation raises many questions that remain unanswered on a crucial point. Access to metadata is worrisome, since (as other media have pointed out) spies and other actors could use this information for rogue purposes. For example, a country like Russia or China could find out whether certain covert activities of theirs are on the radar of a defense ministry in Europe, to name just one example.
Despite obtaining the metadata of hundreds of thousands of video calls, Wolfangel, as mentioned, only managed to get in on two calls. These are definitely niche exceptions, where the integrity of Webex an sich is not in question. According to Cisco, the only “observable attempts” to exploit the vulnerability were from the Die Zeit investigation. In addition, the standard configuration of Webex requires hosts to set up a password.
No Webex calls were compromised in other countries, apart from metadata held by the German news organization. Dutch State Secretary Van Huffelen is launching an investigation, she announced via a letter to the nation’s parliament. The main concern is that the government had to learn about the Webex incident through the German press and not Cisco. However, as mentioned, the latter was not fully aware of Die Zeit’s method, something that stands in the way of a clear advisory. We have previously reported on public blogs by Microsoft that later turned out to be inaccurate, which that company received fiery criticism from the U.S. government. The issue at hand, then, is for tech companies to deliver their security communications in a timely, accurate and complete manner. To do so, they must be fully informed by external reports, which did not seem to be the case here.
Solutions
Getting back to what Cisco is to blame for: the fact that there were no random numbers for scheduled meetings is a clear security error. Sensitive data should never be found with a simple link change. However, this has since been fixed, leaving Webex to remain a relatively secure meeting software. Second, Die Zeit’s earlier piece on publicly available links from the German government shows where crucial mistakes are being made on this front. If meeting IDs can be found online, something else is already going badly wrong.
Also read: Does Google’s SEO stand for Scam Everyone Openly? -update