14 DAY TRIAL // Cisco has just fixed a vulnerability in its WebEx Meetings app for Android, one that allowed third-party applications to steal the WebEx app's permissions and execute malicious code.
Cisco WebEx Meetings is a basic Web conferencing app developed around Cisco's WebEx service for online meetings and conferences. The service is quite potent and has a big foothold in the enterprise market, being used at different levels inside many companies around the world.
Since the WebEx app is not your standard Android game or flashlight app, it needs a lot of permissions. Some of them go beyond the default options, and they have been implemented on top of Custom Permissions feature in the Android OS.
This feature is quite unique because it also allows other apps to request the custom permissions already set up by an app, already installed on the user's device.
This is exactly how the WebEx vulnerability manifested itself, with attackers crafting malicious apps, that after tricking users into downloading and installing them, would hijack the WebEx app's higher permissions, and then use them to execute malicious code.
No user interaction was needed for attackers to leverage this vulnerability
"The vulnerability is due to the way custom application permissions are assigned at initialization," Cisco said in its security advisory. "An exploit could allow the attacker to utilize the custom application to silently acquire the same permissions as the WebEx application."
No interaction was needed from the user to allow a third-party app to hijack permissions. All was done programmatically, by exploiting loopholes in Android's and WebEx's code.
All Cisco WebEx Meetings for Android versions prior to 8.5.1 are vulnerable. The latest version can be downloaded from the Google Play store.
The vulnerability, with the CVE-2015-6384 identifier, has a CVSS severity score of 4.3 out of 10, getting a medium severity indicator.
