If you work for the kind of company that imposes the WebEx experience even on mobile users, it’s update time.
A bug rated medium severity by Cisco has emerged, in which a malicious Android app could borrow the permissions held by WebEx Meetings for Android.
Unfortunately, those permissions are quite extensive (app developers just can’t resist the temptation to “ask for everything,” can they?).
WebEx Meetings for Android asks for access to:
- Device and app history (including running services)
- User identity (including the ability to create accounts on the device)
- Read and modify contacts
- Calling phone numbers (naturally enough)
- Photos, media files, the microphone the camera (not surprising), and
- A bunch of other stuff including device ID.
Usually, to get that kind of access, a malware-writer would have to trick users into clicking “okay” on an excessive set of permissions (which all too many people would do anyhow). The WebEx slip, it seems to Vulture South, bypasses the “present a button for someone to click” stage.
Cisco claims more than five million installs for the app on its Google Play page.
The bug, according to the Cisco announcement, is “due to the way custom application permissions are assigned at initialisation.”