Skip to main content
  1. Home
  2. Computing
  3. News

Google researcher finds major security flaw in Cisco's WebEx Chrome extension

Brad Jones
By

A hand on a laptop in a dark surrounding.
Image used with permission by copyright holder
A Google Chrome browser extension with a user base of 20 million has been updated to patch a serious security vulnerability that made it possible to run malicious code with a minimum of effort. Users of the Cisco Systems WebEx extension are encouraged to make sure that they have updated to version 1.0.3.

The issue was discovered by security researcher Tavis Ormandy, who alerted the company privately before publishing a blog post discussing the situation. Ormandy is a member of Project Zero, a team assembled by Google to hunt down zero-day vulnerabilities.

Recommended Videos

WebEx uses a 64-character string to remotely start a meeting on a PC with the extension installed. This string simply needs to be included in the URL of a file or resource hosted by a website — it can even be tucked away in a HTML-based iframe tab, making it more difficult to detect.

Related

Ormandy found that this string could be used for much more than just initializing a WebEx session. Malicious entities could run any code or command they liked on another user’s system, simply by having them visit a site that contained this string while using the Chrome browser with the WebEx extension running.

This particular vulnerability had the potential to be catastrophic, given that it targeted a service that’s commonly used in an enterprise setting. Security researcher Martijn Grooten noted that the exploit could have caused chaos if it were combined with a ransomware attack, commenting on the situation in a report by Ars Technica.

Unfortunately, there are still some lingering worries about the security of the extension. Specifically, there are concerns that attackers would be able to take advantage of the gap in its security if Cisco’s WebEx website was to suffer a cross-site scripting vulnerability.

For now, the best recourse is to ensure that all installations of the WebEx extension have been updated to version 1.0.3. This patch should have applied automatically, but users can check for themselves by accessing the Extensions menu in Chrome.

Editors' Recommendations

Topics
Brad Jones
Brad Jones
Former Digital Trends Contributor
Brad is an English-born writer currently splitting his time between Edinburgh and Pennsylvania. You can find him on Twitter…
The best Google Chrome games for 2022

When most people think about Google Chrome, the search engine itself or apps like Gmail and Google Docs are typically the first things to come to mind. Google Chrome’s extensive list of free in-browser games isn't well-known. 

Google Chrome, in fact, has a vast array of apps and games from different genres that users can play on their mobile devices or laptop. With standouts like 2048 or Spelunky, among many others, you’re sure to find something you’ll enjoy.

Read more
Google Chrome extensions are failing, and $8,000 is on the table for a fix
A mouse pointer hovering over the CrankWheel Chrome Eextension.

There seems to be some mysterious problem affecting certain Chrome extensions, but it's intermittent enough that it hasn't yet been solved. The problem is annoying enough that one developer has posted two $4,000 bug bounties and created an Upwork job listing that pays up to $150 per hour. These incentives might inspire others to help track down and fix the bug.

First spotted by TechRadar and described in detail in a blog post written by Jói Sigurdsson, founder and CEO of the CrankWheel screen-sharing extension for the Google Chrome browser, the bug is related to a failure to trigger an action when the extension's icon is clicked on the toolbar. Since this is frequently how an extension is used, it's a crippling error. Unfortunately, the problem is difficult to recreate and is estimated to impact only 3% to 5% of those that have affected extensions installed.

Read more
Update Google Chrome now to protect yourself from an urgent security bug
Google Chrome app on s8 screen.

Google posted a security update for its Chrome browser that fixes what's known as a zero-day bug. The problem affects Chrome on Windows, Mac, and Android. The flaw can lead to arbitrary code execution, a serious security vulnerability, so it's best to download and install the latest version immediately. Zero-day bugs mean that this is a known weakness and, in this case, Google said that the flaw is already being exploited by hackers.

Google did not post a detailed explanation of how the exploit works, but will do so when the majority of people have updated, making the danger of further attacks less severe. The most severe bug is identified as CVE-2022-2294 and the update also patches CVE-2022-2295 and CVE-2022-2296.

Read more