Cisco plugs WebEx for Android bug

Posted on

If you work for the kind of company that imposes the WebEx experience even on mobile users, it’s update time.

A bug rated medium severity by Cisco has emerged, in which a malicious Android app could borrow the permissions held by WebEx Meetings for Android.

Unfortunately, those permissions are quite extensive (app developers just can’t resist the temptation to “ask for everything,” can they?).

WebEx for Android

WebEx Meetings for Android asks for access to:

  • Device and app history (including running services)
  • User identity (including the ability to create accounts on the device)
  • Read and modify contacts
  • Calling phone numbers (naturally enough)
  • Photos, media files, the microphone the camera (not surprising), and
  • A bunch of other stuff including device ID.

Usually, to get that kind of access, a malware-writer would have to trick users into clicking “okay” on an excessive set of permissions (which all too many people would do anyhow). The WebEx slip, it seems to Vulture South, bypasses the “present a button for someone to click” stage.

Cisco claims more than five million installs for the app on its Google Play page.

The bug, according to the Cisco announcement, is “due to the way custom application permissions are assigned at initialisation.”



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s