Cisco patches permission hijacking issue in WebEx Meetings

The flaw allowed rogue apps to gain the same permissions as Cisco's app.


Cisco has fixed a vulnerability in its WebEx Meetings application for Android that allowed potentially rogue applications to hijack its permissions.

The issue, which affected all versions of the app older than 8.5.1, stemmed from the way custom application permissions were implemented and assigned at initialization time.

In addition to the default permissions defined by the OS, applications can declare and request custom permissions, a feature that the Android developers recommend be used only if absolutely necessary. It is also possible for apps to request to use custom permissions declared by another application.

An attacker could trick users to download a rogue application to their Android device and then use it to exploit the WebEx vulnerability to gain the same permissions, Cisco said in an advisory Tuesday.

Cico WebEx Meetings is a Web conferencing application that supports two-way video communications. Its permissions are extensive and include: access to find, add and remove accounts and contacts from the device; access to take pictures and record audio and access to read and modify the contents of the USB storage.

Users should make sure that they're running Cisco WebEx Meetings 8.5.1 or newer. The latest version is available on Google Play.