back to article Cisco Webex bug allowed anyone to join a password-protected meeting

Cisco has confessed to a vulnerability in its Webex Meetings Suite sites and Webex Meetings Online sites that allowed an "unauthenticated" attendee sitting on a workstation far, far away to join a "password-protected meeting without providing the meeting password". According to the security advisory, which was rated as "High …

  1. Khaptain Silver badge

    TLA

    Question : Was this intentionally done for one or more of the TLA's ?

    If it was, then surely we should ban Cisco from our companies as they have obviously been comprised / have backdoors / are TLA controlled companies.

    1. alain williams Silver badge

      Re: TLA

      No you only talk about banning Chinese companies that might be controlled by their government. Cisco is controlled by a friendly government - or so we are told.

      1. phuzz Silver badge

        Re: TLA

        Friendly to who? The US only looks out for itself.

        1. Claptrap314 Silver badge

          Re: TLA

          And I would say the same thing about any corporation. What is your point?

    2. Anonymous Coward
      Anonymous Coward

      Re: TLA

      Depending on what you believe the lawful intercept laws say for telecoms, they may have to allow this anyway, and not via adding another visible participant into the meeting...

      1. Venerable and Fragrant Wind of Change
        Black Helicopters

        Re: TLA

        Maybe it's new legislation (such as the aussie backdoor law) invalidating an existing government snoophole. So they're announcing/closing it after introducing a new/updated one.

        Or maybe someone at Cisco just wasn't told about the TLAs, and this should never have come out?

    3. fidodogbreath Silver badge

      Re: TLA

      Was this intentionally done for one or more of the TLA's ?

      Highly unlikely. The article ad that the unauthenticated user was visible in the attendee list. That's not how spies prefer to work.

  2. Mike 137 Silver badge

    'an "unauthenticated" attendee'

    I so wish folks would stop perpetrating this ridiculous ungrammatical use of "-ee". An attendee is someone who is attended, like the Queen or Donald Trump. The person doing it is an attender (or sometimes "-or", as in gladiator). The gladiatee was the person spifflicated by the gladiator's gladius or short sword. Similarly an "escapee" is someone who is escaped from (e.g. a guard). The person doing the escaping is an escaper.

    If we hadn't abandoned teaching grammar and etymology, the language might have had a chance of survival. Instead it's now Humpty Dumpty time, so any old noise will do for anything you mean. Get it wrong often enough and it becomes accepted as right (particularly if some clueless goat built it into a spell checker), but it remains wrong because words and components of words have intrinsic meanings by virtue of their origins.

    1. Anonymous Coward
      Anonymous Coward

      Re: 'an "unauthenticated" attendee'

      Language changes

    2. Robert Carnegie Silver badge

      Re: 'an "unauthenticated" attendee'

      Dictionary says "escapee" has been around since the 1860s. "Attendee" the 1930s. The others just sound weird. Sorree. ;-)

    3. Robert Helpmann??
      Headmaster

      Re: 'an "unauthenticated" attendee'

      As the AC noted, language changes. The admittedly few lexicographers I have spoken with take a descriptive rather than prescriptive approach to language. As far as the word of the moment, the first use of "attendee" predates most folks' time on this Earth (first recorded ca. 1935), so it seems a bit late to protest.

    4. fidodogbreath Silver badge

      Re: 'an "unauthenticated" attendee'

      Don't look out the window; they might be on your lawn...

    5. HildyJ Silver badge
      Pint

      Re: 'an "unauthenticated" attendee'

      Get over it. I'm much more irritated by you, I, and all of our ilk being referred to as commentators instead of commenters. And don't get me started on the death of the Oxford comma.

      1. O RLY

        Re: 'an "unauthenticated" attendee'

        The El Reg Style Guide says we are "commentards."

        The Oxford comma still lives, but there are apostates everywhere threatening it. Long live the Oxford comma!

    6. IGotOut Silver badge

      Re: 'an "unauthenticated" attendee'

      " Get it wrong often enough and it becomes accepted as right"

      Considering this covers pretty much of the English language, your point is invalid.

      If you don't believe this to be true, go and read something written from the medieval time period. Good luck.

      1. Venerable and Fragrant Wind of Change

        Re: 'an "unauthenticated" attendee'

        When I read Chaucer, having heard that his language was incomprehensible to the modern reader, I assumed what I had was a modern translation.

        It wasn't. Claims about mediæval English are grossly overblown.

        Now Beowulf, on the other hand, I find as incomprehensible as Finnegans Wake.

  3. RegGuy1 Silver badge

    Webex -- you mean the app that gobbles my CPU?

    This made me laugh: "The unauthorized attendee will be visible in the attendee list of the meeting as a mobile attendee," said Cisco.

    Followed by: "Cisco PSIRT is aware of active use of the vulnerability that is described in this advisory."

    So you just set your name to someone who is already on the call and join with that. I've been on many Webex calls where someone is on twice (or even more times) because you just can't get the bloody software to let you in, so you try a different browser or try on your phone.

    I have to say I've found the software to offer a very poor quality meeting -- most of the time the voices break up. Why on earth does it have to be such a massive and complex application? Poo -- that's my assessment.

    1. hplasm
      Devil

      Re: Webex -- you mean the app that gobbles my CPU?

      Annoying that Unauthorised Attendists ( :) ) can join a Webex session, when the invited users have a 50% chance of logging in correctly.

      Still better than Lync though...

  4. phuzz Silver badge

    Potential attackers are welcome to join my meetings, but they do run the risk of dying of boredom.

    1. This post has been deleted by its author

    2. spold Silver badge

      Indeed, not only do you attend your own company dumb meetings, now you can attend someone else's dumb meetings as well.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021