Categories: NewsSecurity

Enterprise-Level WebEx Chrome Plugin Users Vulnerable to Drive-by Attacks

Users of the Google Chrome browser should update the commonly used WebEx plugin. This particular type of code is used for the Cisco Systems WebEx service, yet contains a severe vulnerability. The unpatched version of this plugin allows any site to run malicious code, which would cause harm to millions of Internet users. All of these drive-by attacks can occur on any website visited by these users, regardless of who it belongs to.

WebEx Plugin Can Facilitate Drive-by Attacks

In the enterprise sector, WebEx is used by more than 20 million users as of today. These potential targets are also a high-value target for criminals who look to take advantage of the Chrome plug-in’s vulnerabilities. Anyone who manages to exploit this flaw while it’s present can create one of the world’s most powerful

exploits kits.

Not only could criminals target these 20 million enterprise users, but they could also exploit the companies these employees work for. If these vulnerabilities are exploited on a large scale, it is impossible to predict what will happen. Thankfully, an emergency update has been released for this plugin, and users are advised to update as soon as possible.

Exploiting this vulnerability is not difficult either. All it takes is a compromised website to host a file or resource that contains the so-called “magic” string in its URL. This “magic string” pattern allows the WebEx service to remotely start meetings on any computer, as long as they have the extension installed. Through this command, a hacker could execute any form of code or command to cause havoc. In fact, it is possible to load this “magic string” into an iframe tag, where it would be hidden from the public.



Related Post

Even though this emergency patch solves the problem, it is not necessarily a full-fledged solution. Code-execution exploits can still be used against the WebEx Chrome plugin, due to update allowing Cisco’s webex.com site to invoke the magic pattern without warning. If that site were to suffer from an XSS (Cross Site Scripting) vulnerability, it would be possible once again to exploit the WebEx bug. Although that risk factor may be deemed “highly improbable”, it’s still worth taking into account.

Quite a few security experts have been analyzing the vulnerability and associated emergency patch. So far, not too many have been impressed with the update. Filippo Valsorda, who works as a security researcher at CloudFlare, stated how this is a “social engineering nightmare”. It is evident Cisco left a huge security gap wide open, and it is unclear if anyone has taken advantage of it.

Unfortunately, there is no way for Cisco to force this update upon its WebEx plugin users. All enterprise clients have to manually update to version 1.0.3. It is also possible to force the update by enabling “Developer Mode” in the plugin settings. All things considered, a lot of companies may remain vulnerable to this type of attack over the coming months.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.

JP Buntinx

JP Buntinx is a FinTech and Bitcoin enthusiast living in Belgium. His passion for finance and technology made him one of the world's leading freelance Bitcoin writers, and he aims to achieve the same level of respect in the FinTech sector.

Share
Published by
JP Buntinx

Recent Posts

Crypto Whale Sparks 8x Surge In $OPK Price with Massive Buy-in

A mysterious crypto whale, who previously invested 9,600 SOL into tokens $Pnut and $FRED, has…

23 mins ago

Early ENS Investor Transfers $2.47M To Binance Amid Upcoming Token Unlocks

An early investor linked to the $ENS token recently transferred 154,000 ENS tokens, valued at…

26 mins ago

Wintermute’s Memecoin Strategy: BABYDOGE Ranks Among Top 3 Holdings

In a surprising turn, $BABYDOGE has climbed to the top three in Wintermute’s memecoin holdings…

33 mins ago

$Pnut’s Meteoric Rise: How A Tragic Squirrel Inspired A Memecoin Sensation

The $Pnut memecoin recently soared past a $120 million market cap, creating unexpected wealth for…

39 mins ago

Political Memecoins And High-Stakes Bets Surge As Election Approaches

With election season heating up, political memecoins like $PEOPLE, $MAGA, $HARRIS, and $TRUMP are surging.…

45 mins ago

TRX Price Prediction: Tron Network Fee Cut to Spark New ATH?

Back into Spotlight: Tron Network Fee Cut Could Push TRX to ATH, But This DeFi…

10 hours ago