An attacker could remain in the meeting as a ghost user and listen to audio even after being dropped from the conference.

Cisco has patched three vulnerabilities (CVE-2020-3441, CVE-2020-3471, and CVE-2020-3419) in the Webex video conferencing application, exploitation of which allows attackers to join a meeting and eavesdrop on conversations as a “ghost user” invisible to other participants.

The vulnerabilities were discovered earlier this year by security researchers at IBM. A combination of the three problems allows an attacker to:

Join a Webex meeting as a ghost user, invisible to others in the Participant List, but with full access to audio, video, chat, and screen sharing.

Stay in a Webex meeting as a ghost user and listen to audio even after being dropped from the conference.

Get information about meeting attendees, including full names, email addresses, and IP addresses. Information can also be obtained before an attacker is allowed to make a call.

The issues are related to the “handshake” process that occurs when new Webex meetings are scheduled, experts say. Attackers who gain access to the meeting URL can connect to the Webex server, send modified packages, and manipulate the server to gain access to meetings and attendee information.

“We were able to demonstrate a ghost user issue on macOS, Windows, and the iOS version of the Webex Meetings apps, and the Webex Room Kit device,” the researchers added.

The vulnerabilities can only be exploited if attackers know the unique URLs for scheduled Webex meetings and users’ Personal Rooms. However, “Private Rooms are easier to use because they are often based on a predictable combination of the room owner’s name and the organization’s name.”