Skip to main content
  1. Home
  2. Computing
  3. News

Google researcher finds major security flaw in Cisco's WebEx Chrome extension

By

A hand on a laptop in a dark surrounding.
Image used with permission by copyright holder
A Google Chrome browser extension with a user base of 20 million has been updated to patch a serious security vulnerability that made it possible to run malicious code with a minimum of effort. Users of the Cisco Systems WebEx extension are encouraged to make sure that they have updated to version 1.0.3.

The issue was discovered by security researcher Tavis Ormandy, who alerted the company privately before publishing a blog post discussing the situation. Ormandy is a member of Project Zero, a team assembled by Google to hunt down zero-day vulnerabilities.

Recommended Videos

WebEx uses a 64-character string to remotely start a meeting on a PC with the extension installed. This string simply needs to be included in the URL of a file or resource hosted by a website — it can even be tucked away in a HTML-based iframe tab, making it more difficult to detect.

Related

Ormandy found that this string could be used for much more than just initializing a WebEx session. Malicious entities could run any code or command they liked on another user’s system, simply by having them visit a site that contained this string while using the Chrome browser with the WebEx extension running.

This particular vulnerability had the potential to be catastrophic, given that it targeted a service that’s commonly used in an enterprise setting. Security researcher Martijn Grooten noted that the exploit could have caused chaos if it were combined with a ransomware attack, commenting on the situation in a report by Ars Technica.

Unfortunately, there are still some lingering worries about the security of the extension. Specifically, there are concerns that attackers would be able to take advantage of the gap in its security if Cisco’s WebEx website was to suffer a cross-site scripting vulnerability.

For now, the best recourse is to ensure that all installations of the WebEx extension have been updated to version 1.0.3. This patch should have applied automatically, but users can check for themselves by accessing the Extensions menu in Chrome.

Editors’ Recommendations

Topics
Brad Jones
Brad Jones
Former Digital Trends Contributor
Brad is an English-born writer currently splitting his time between Edinburgh and Pennsylvania. You can find him on Twitter…
Google may have just fixed Chrome’s most annoying problem
A Macbook with Google Chrome opened to a Gmail inbox.

While Google Chrome is one of the best web browsers, over the years it has gained a reputation for being something of a resource hog, gobbling up your PC’s memory like it’s going out of style. That can be a problem if you’re running other resource-heavy tasks and don’t want things to slow down. Now, Chrome has been updated with two new features that cut down on memory usage and extend your laptop’s battery life, according to Google. The changes are set to roll out today with the latest release of Chrome on desktop (version m108).The first new feature, dubbed Memory Saver, is designed to reduce the amount of memory Chrome’s tabs use. It does this by freeing up memory from inactive tabs, and putting them to sleep so they can’t monopolize your system’s resources. When you need to access the tabs again, they will be reloaded and become active. The goal of Energy Saver, meanwhile, is fairly self-explanatory -- helping your laptop battery last longer -- but it does so in a somewhat interesting way. When your battery drops to 20%, Chrome will try to prolong your battery life by “limiting background activity and visual effects for websites with animations and videos.”Presumably, this means Chrome will limit the kind of flashy effects that have made a comeback in web design in recent years. Google says that when these new features launch, users will still be able to customize them to their liking. You can disable either Memory Saver or Energy Saver (or both), and mark certain websites as exempt in Chrome’s settings. The changes could turn out to be important. While Chrome has managed to become the dominant Windows web browser and one of the best browsers for Mac, it has been plagued by poor memory management for years. If Memory Saver and Energy Saver are able to help ameliorate that -- and make your battery last longer too -- then Google might have gone some way to fixing Chrome’s biggest problem. Both Memory Saver and Energy Saver will be launched globally over the next few weeks. The features are coming to Chrome on Windows, macOS, and ChromeOS.

Read more
Half of Google Chrome extensions may be collecting your personal data
Google Chrome icon in mac dock.

Data risk management company Incogni has found that half of every installed Google Chrome extension has a high to very high risk of collecting personal data, showing a strong correlation to the number of permissions given.

After analyzing 1,237 Chrome extensions found in the Chrome Web Store, a study by Incogni has uncovered some troubling findings. Nearly half (48.7%) of the extensions were found to potentially expose users' personally identifiable information (PII), distribute malware and adware, and record passwords and financial information.

Read more
Google Chrome gets one of Microsoft Edge’s best features
Google Chrome has been updated with a new sidebar feature.

Google Chrome has announced new updates for its browser to make searching more effective without having to open a new tab or return to a previous page after inputting a new search.

The Chrome sidebar feature comes just months after Microsoft introduced a similar feature to its own browser, Edge.

Read more