Categories: NewsSecurity

Enterprise-Level WebEx Chrome Plugin Users Vulnerable to Drive-by Attacks

Users of the Google Chrome browser should update the commonly used WebEx plugin. This particular type of code is used for the Cisco Systems WebEx service, yet contains a severe vulnerability. The unpatched version of this plugin allows any site to run malicious code, which would cause harm to millions of Internet users. All of these drive-by attacks can occur on any website visited by these users, regardless of who it belongs to.

WebEx Plugin Can Facilitate Drive-by Attacks

In the enterprise sector, WebEx is used by more than 20 million users as of today. These potential targets are also a high-value target for criminals who look to take advantage of the Chrome plug-in’s vulnerabilities. Anyone who manages to exploit this flaw while it’s present can create one of the world’s most powerful

exploits kits.

Not only could criminals target these 20 million enterprise users, but they could also exploit the companies these employees work for. If these vulnerabilities are exploited on a large scale, it is impossible to predict what will happen. Thankfully, an emergency update has been released for this plugin, and users are advised to update as soon as possible.

Exploiting this vulnerability is not difficult either. All it takes is a compromised website to host a file or resource that contains the so-called “magic” string in its URL. This “magic string” pattern allows the WebEx service to remotely start meetings on any computer, as long as they have the extension installed. Through this command, a hacker could execute any form of code or command to cause havoc. In fact, it is possible to load this “magic string” into an iframe tag, where it would be hidden from the public.



Related Post

Even though this emergency patch solves the problem, it is not necessarily a full-fledged solution. Code-execution exploits can still be used against the WebEx Chrome plugin, due to update allowing Cisco’s webex.com site to invoke the magic pattern without warning. If that site were to suffer from an XSS (Cross Site Scripting) vulnerability, it would be possible once again to exploit the WebEx bug. Although that risk factor may be deemed “highly improbable”, it’s still worth taking into account.

Quite a few security experts have been analyzing the vulnerability and associated emergency patch. So far, not too many have been impressed with the update. Filippo Valsorda, who works as a security researcher at CloudFlare, stated how this is a “social engineering nightmare”. It is evident Cisco left a huge security gap wide open, and it is unclear if anyone has taken advantage of it.

Unfortunately, there is no way for Cisco to force this update upon its WebEx plugin users. All enterprise clients have to manually update to version 1.0.3. It is also possible to force the update by enabling “Developer Mode” in the plugin settings. All things considered, a lot of companies may remain vulnerable to this type of attack over the coming months.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.

JP Buntinx

JP Buntinx is a FinTech and Bitcoin enthusiast living in Belgium. His passion for finance and technology made him one of the world's leading freelance Bitcoin writers, and he aims to achieve the same level of respect in the FinTech sector.

Share
Published by
JP Buntinx

Recent Posts

Cheems Surge On BSC Network: A Rising Star With Growing Market Value

The Cheems token on the Binance Smart Chain (BSC) is gaining significant momentum, surging by…

1 hour ago

Lester Token Crashes 40% Following Official Announcement

The value of $LESTER plummeted by 40% in the past 24 hours, leaving its market…

1 hour ago

From $30K To Millions: The Wild Journey Of $Quant And Xiaohaige’s Memecoin Stunts

In a bizarre turn of events, a young live-streamer known as Xiaohaige created the memecoin…

1 hour ago

Whale “convexcuck.eth” Makes Bold $CVX Move, Nets Significant Profit Amid Price Surge

The crypto whale known as "convexcuck.eth" has made waves in the DeFi world, spending $2…

1 hour ago

$ELIZA Token Launch Marred By Insider Trading Allegations

The launch of $ELIZA, a token introduced by Andreessen Horowitz (a16z) partner @shawmakesmagic, has sparked…

1 hour ago

Cardano’s Rally Highlights Diverging Moves Among Investors

Cardano ($ADA) has been making waves in the crypto market, breaking away from the altcoin…

2 hours ago