Skip to content
Techzine Global
  • Home
  • Topstories
  • Topics
    • Analytics
    • Applications
    • Collaboration
    • Data Management
    • Devices
    • Devops
    • Infrastructure
    • Privacy & Compliance
    • Security
  • Insights
    • All Insights
    • Agentic AI
    • Analytics
    • Cloud ERP
    • Generative AI
    • IT in Retail
    • NIS2
    • RSAC 2025 Conference
    • Security Platforms
    • SentinelOne
  • More
    • Become a partner
    • About us
    • Contact us
    • Terms and conditions
    • Privacy Policy
  • Techzine Global
  • Techzine Netherlands
  • Techzine Belgium
  • Techzine TV
  • ICTMagazine Netherlands
  • ICTMagazine Belgium
Techzine » Blogs » Privacy & Compliance » Sensitive metadata Cisco Webex was ‘child’s play’ to find, but how?
5 min Privacy & Compliance

Sensitive metadata Cisco Webex was ‘child’s play’ to find, but how?

Erik van KlinkenJune 6, 2024 11:38 amJune 10, 2024
Sensitive metadata Cisco Webex was ‘child’s play’ to find, but how?

Cisco’s videoconferencing service Webex is under fire. Research from Die Zeit shows that metadata from numerous meetings was accessible just by modifying the URL. This included data on calls from governments in the Netherlands, Germany and elsewhere in Europe, in addition to publically traded companies. What exactly was going on?

The metadata in question involved the title and description of the video call, in addition to the name of the host. Die Zeit obtained data from governments and companies in Germany, the Netherlands, Italy, Austria, France, Switzerland, Ireland and Denmark. Hundreds of thousands of meetings are involved, although German journalist of Die Zeit Eva Wolfangel managed to actually enter a protected conversation only twice. The German Social Democratic Party (SPD) and health insurer Barmer were the affected parties.

Webex is generally seen as a more secure alternative to Microsoft Teams and Zoom. Nevertheless, governments and companies obviously prefer to meet physically when dealing with highly sensitive information.

The Die Zeit study shows several shortcomings in Webex. For example, a password-protected Webex meeting was not always actually secure. Users who did not know the code could get in just by typing a hash. Because the SPD’s Webex call was by telephone, no one could tell that Wolfangel was present. Obviously, in closed video meetings with a handful of participants, such a compromise would quickly be noticed.

Step 2 of investigation

Wolfangel spoke about her findings to other outlets and previously shared the information on Zeit Online. Due to the incident, Dutch public broadcaster NOS described Webex as an “unsafe meeting program” this morning. To know exactly why this is a rather premature conclusion, Die Zeit’s investigation should be placed in a somewhat larger context. Incidentally, the Dutch government says it will continue to use Webex because the bug has been fixed.

Wolfangel already published an article in early May describing that the German army (the Bundeswehr) and the government were leaking their own Webex Meeting IDs. Information about video calls could be accessed online, even if they were highly confidential. The application in use was an on-prem version of Webex, operated by the German military. The links on this iteration of Webex were easy to guess: anyone with one link could find a link to another meeting with a single number change. According to Cisco, this was not possible with the cloud variant in use elsewhere, but this was disproven by Wolfanger. The cloud version generates a random 9- to 11-digit number for the links, Cisco stated, but Die Zeit’s findings refute this.

For months, Die Zeit managed to gather information about online conversations from several European governments and companies in this way. One shared this with Cisco, which in turn asked about the exact methodology used to find the initial links. Die Zeit did not do so (nor does Wolfangel explain the precise methodology in the new article), so the American company could not state exactly how the investigative mechanism exploited the bug. As of May 28, the Webex bug was nevertheless fixed and would no longer use predictable numbers for each scheduled call.

Misconfiguration?

We do not question that the German news site was able to access the Webex data. However, the explanation raises many questions that remain unanswered on a crucial point. Access to metadata is worrisome, since (as other media have pointed out) spies and other actors could use this information for rogue purposes. For example, a country like Russia or China could find out whether certain covert activities of theirs are on the radar of a defense ministry in Europe, to name just one example.

Despite obtaining the metadata of hundreds of thousands of video calls, Wolfangel, as mentioned, only managed to get in on two calls. These are definitely niche exceptions, where the integrity of Webex an sich is not in question. According to Cisco, the only “observable attempts” to exploit the vulnerability were from the Die Zeit investigation. In addition, the standard configuration of Webex requires hosts to set up a password.

No Webex calls were compromised in other countries, apart from metadata held by the German news organization. Dutch State Secretary Van Huffelen is launching an investigation, she announced via a letter to the nation’s parliament. The main concern is that the government had to learn about the Webex incident through the German press and not Cisco. However, as mentioned, the latter was not fully aware of Die Zeit’s method, something that stands in the way of a clear advisory. We have previously reported on public blogs by Microsoft that later turned out to be inaccurate, which that company received fiery criticism from the U.S. government. The issue at hand, then, is for tech companies to deliver their security communications in a timely, accurate and complete manner. To do so, they must be fully informed by external reports, which did not seem to be the case here.

Solutions

Getting back to what Cisco is to blame for: the fact that there were no random numbers for scheduled meetings is a clear security error. Sensitive data should never be found with a simple link change. However, this has since been fixed, leaving Webex to remain a relatively secure meeting software. Second, Die Zeit’s earlier piece on publicly available links from the German government shows where crucial mistakes are being made on this front. If meeting IDs can be found online, something else is already going badly wrong.

Also read: Does Google’s SEO stand for Scam Everyone Openly? -update

Tags:

Cisco / metadata / WebEx

"*" indicates required fields

Stay tuned, subscribe!

Nieuwsbrieven*
This field is for validation purposes and should be left unchanged.

Related

AI agents are coming to Cisco’s Webex

Webex also gets into spatial computing with Vision Pro app

Zoom and Microsoft plan to shake up hybrid meetings, Cisco doesn’t

Cisco doubles down on Webex: new updates change it fundamentally

Editor picks

Dutch Department of Justice offline after Citrix vulnerability

The Department of Justice shut down all internet connections on Frida...

HPE reaches agreement with Elliott: investor gets influence in strategy

HPE has reached an agreement with Elliott Investment Management after...

Replatforming virtualized workloads: Do your VMs need a new home?

Finding a balance for VMs and containers

Broadcom launches Tomahawk Ultra with 250ns network latency

Broadcom has announced its new Tomahawk Ultra switch for high-perform...

Techzine.tv

The impact of OpsRamp on HPE and its integration into the stack

The impact of OpsRamp on HPE and its integration into the stack

Evolution of private 5G and Wi-Fi: is convergence on the horizon?

Evolution of private 5G and Wi-Fi: is convergence on the horizon?

Accelerating SAP Adoption with AI: Interview with Thomas Pfiester at SAP Sapphire

Accelerating SAP Adoption with AI: Interview with Thomas Pfiester at SAP Sapphire

Why does Digital Realty standardize on HPE for operations?

Why does Digital Realty standardize on HPE for operations?

Read more on Privacy & Compliance

Musk in power: should Big Tech be worried?
Top story

Musk in power: should Big Tech be worried?

From thoughts to policy

Erik van Klinken November 21, 2024
Nvidia has permission to sell H20 AI chips in China

Nvidia has permission to sell H20 AI chips in China

The US government has permitted Nvidia to resume sales of its H20 AI chip in China. This reversal could gener...

Berry Zwets July 15, 2025
EU publishes guidelines for AI models with systemic risks

EU publishes guidelines for AI models with systemic risks

On Friday, the European Commission published guidelines for AI models with systemic risks. These are intended...

Berry Zwets 9 hours ago
The sovereign cloud offers no guarantees, how can it do so?
Top story

The sovereign cloud offers no guarantees, how can it do so?

Using the public cloud inherently requires a degree of trust in the chosen provider. Critical industries and ...

Erik van Klinken February 19, 2025

Expert Talks

How AI and automation are redefining ROI in the enterprise

How AI and automation are redefining ROI in the enterprise

Today’s data and business analysts are equipped with a wide array o...

Enhancing video encoding: The AV1 support in the new ARTPEC-9 System-on-Chip

Enhancing video encoding: The AV1 support in the new ARTPEC-9 System-on-Chip

In an era where video security and digital technologies are evolving ...

Simplifying complexity: Bridging the cloud skills gap

In recent years, there has been a seismic shift away from traditional...

How organisations can remain compliant while building resiliency during the AI era

The global push to regulate Artificial Intelligence (AI) is gaining m...

Tech calendar

GITEX DIGI_HEALTH 5.0 - Thailand

September 10, 2025 BITEC Bangkok, Thailand

IT Arena

September 26, 2025 Lviv, Ukraine

Innovation Week 2025

October 9, 2025 Prague

Luxembourg Venture Days

October 22, 2025 Luxembourg

Appdevcon

March 10, 2026 Amsterdam

Webdevcon

March 10, 2026 Amsterdam

Whitepapers

Experience Synology’s latest enterprise backup solution

Experience Synology’s latest enterprise backup solution

How do you ensure your company data is both secure and quickly recove...

How to choose the right Enterprise Linux platform?

How to choose the right Enterprise Linux platform?

"A Buyer's Guide to Enterprise Linux" comprehensively analyzes the mo...

Enhance your data protection strategy for 2025

The Data Protection Guide 2025 explores the essential strategies and...

Strengthen your cybersecurity with DNS best practices

The white paper "DNS Best Practices" by Infoblox presents essential g...

Techzine Global

Techzine focusses on IT professionals and business decision makers by publishing the latest IT news and background stories. The goal is to help IT professionals get acquainted with new innovative products and services, but also to offer in-depth information to help them understand products and services better.

Follow us

Twitter
LinkedIn
YouTube

© 2025 Dolphin Publications B.V.
All rights reserved.

Techzine Service

  • Become a partner
  • Advertising
  • About Us
  • Contact
  • Terms & Conditions
  • Privacy Statement