Ghost in the machine: Researchers find Webex vulnerabilities allow hidden visitors

Uninvited guests can inhabit the video conferencing platform in three different ways, IBM Research found.
(Getty Images)

Halloween may have been last month, but IBM researchers revealed Wednesday that they discovered a way ghosts could haunt Cisco Webex meetings.

The vulnerabilities in the video conferencing platform — since the subject of a Cisco patch — would permit uninvited guests to join a meeting without showing up on the participant list, stay in a meeting even after the host expels them and gather information about other attendees without joining.

Unwelcome guests are often more commonly associated with a Webex competitor, Zoom, which led to the coining of the term “Zoombombing” and Zoom wrestling with the problem. But the IBM research shows that with so many meetings happening online during the pandemic, Zoom isn’t alone.

Webex registered a record 324 million users in March, and saw usage grow 451% from mid-February to mid-June.


IBM Research found that invaders could exploit the “handshake” process whereby Webex connects meeting participants.

“A malicious actor can become a ghost by manipulating these messages during the handshake process between the Webex client application and the Webex server back-end to join or stay in a meeting without being seen by others,” the researchers wrote.

Once in, the ghosts would have full access to audio, video, screen sharing and chat capabilities. They also could go into a cloaking mode to stay in the meeting with audio capabilities after a host attempts to expel them.

“How do you know they are really gone? It turns out that with this vulnerability, it is extremely difficult to tell,” IBM’s blog post explains. “Not only could an attacker join meetings undetected or disappear while maintaining audio connectivity, but they could also simply disregard the host’s expel order, stay in the meeting, and keep the audio connection.”

Further, the ghosts could harvest the names, emails, IP addresses and other information on meeting attendees even without admission.


“On November 18, Cisco published security advisories along with fixed software for three medium-severity vulnerabilities in Cisco Webex Meetings and Cisco Webex Meetings Server,” said a Cisco spokesperson. “The issues are resolved in the Cisco Webex Cloud and fixed software is available for those customers with custom deployments. The security advisories and fixes are published as part of our long-standing security vulnerability disclosure process, and Cisco PSIRT is not aware of malicious use of the vulnerabilities that are described in the advisories.”

Update, 11/18/20: Updated to include Cisco statement.

Tim Starks

Written by Tim Starks

Tim Starks Tim Starks 249

Latest Podcasts