Skip to main content

Google researcher finds major security flaw in Cisco's WebEx Chrome extension

A hand on a laptop in a dark surrounding.
Image used with permission by copyright holder
A Google Chrome browser extension with a user base of 20 million has been updated to patch a serious security vulnerability that made it possible to run malicious code with a minimum of effort. Users of the Cisco Systems WebEx extension are encouraged to make sure that they have updated to version 1.0.3.

The issue was discovered by security researcher Tavis Ormandy, who alerted the company privately before publishing a blog post discussing the situation. Ormandy is a member of Project Zero, a team assembled by Google to hunt down zero-day vulnerabilities.

WebEx uses a 64-character string to remotely start a meeting on a PC with the extension installed. This string simply needs to be included in the URL of a file or resource hosted by a website — it can even be tucked away in a HTML-based iframe tab, making it more difficult to detect.

Ormandy found that this string could be used for much more than just initializing a WebEx session. Malicious entities could run any code or command they liked on another user’s system, simply by having them visit a site that contained this string while using the Chrome browser with the WebEx extension running.

This particular vulnerability had the potential to be catastrophic, given that it targeted a service that’s commonly used in an enterprise setting. Security researcher Martijn Grooten noted that the exploit could have caused chaos if it were combined with a ransomware attack, commenting on the situation in a report by Ars Technica.

Unfortunately, there are still some lingering worries about the security of the extension. Specifically, there are concerns that attackers would be able to take advantage of the gap in its security if Cisco’s WebEx website was to suffer a cross-site scripting vulnerability.

For now, the best recourse is to ensure that all installations of the WebEx extension have been updated to version 1.0.3. This patch should have applied automatically, but users can check for themselves by accessing the Extensions menu in Chrome.

Brad Jones
Former Digital Trends Contributor
Brad is an English-born writer currently splitting his time between Edinburgh and Pennsylvania. You can find him on Twitter…
Google Chrome gets one of Microsoft Edge’s best features
Google Chrome has been updated with a new sidebar feature.

Google Chrome has announced new updates for its browser to make searching more effective without having to open a new tab or return to a previous page after inputting a new search.

The Chrome sidebar feature comes just months after Microsoft introduced a similar feature to its own browser, Edge.

Read more
The best Google Chrome games for 2022

When most people think about Google Chrome, the search engine itself or apps like Gmail and Google Docs are typically the first things to come to mind. Google Chrome’s extensive list of free in-browser games isn't well-known. 

Google Chrome, in fact, has a vast array of apps and games from different genres that users can play on their mobile devices or laptop. With standouts like 2048 or Spelunky, among many others, you’re sure to find something you’ll enjoy.

Read more
Google Chrome extensions are failing, and $8,000 is on the table for a fix
A mouse pointer hovering over the CrankWheel Chrome Eextension.

There seems to be some mysterious problem affecting certain Chrome extensions, but it's intermittent enough that it hasn't yet been solved. The problem is annoying enough that one developer has posted two $4,000 bug bounties and created an Upwork job listing that pays up to $150 per hour. These incentives might inspire others to help track down and fix the bug.

First spotted by TechRadar and described in detail in a blog post written by Jói Sigurdsson, founder and CEO of the CrankWheel screen-sharing extension for the Google Chrome browser, the bug is related to a failure to trigger an action when the extension's icon is clicked on the toolbar. Since this is frequently how an extension is used, it's a crippling error. Unfortunately, the problem is difficult to recreate and is estimated to impact only 3% to 5% of those that have affected extensions installed.

Read more