WebEx’s “Magic Pattern” Goes Public

WebEx’s protection fails and leaves a wide open security hole. The popular browser plugin, from Cisco, used for web conferencing has around 20 million users and if you’re one of them, you may want to disable the plugin immediately.

Unfortunately, the WebEx plugin has an extremely simple security control in place; a “magic string pattern” that the plugin uses to verify usage from a website. Any website containing the “magic pattern” could then, through the plugin, execute remote code* through an iframe which could be almost unnoticeable to the user.

How does it work?

Google Project Zero researcher Tavis Ormandy discovered the flaw, and here is basically how it was described. If you have the WebEx extension on a Chrome browser, an attacker could send you a link for a WebEx meeting.  The link would lead to a site that is running an illegitimate “magic pattern” string contained in the URL. Once WebEx accepts the pattern, it automatically will run any commands given to it by the website. It’s that simple.

The “magic pattern” was reversed engineered and released to the public a couple of months ago. And while Cisco has patched WebEx as of last Sunday, Google has said it doesn’t fix the problem, and released their findings since it was beyond their grace period. Currently, both Google and Mozilla have removed the WebEx extension from their stores, as they feel the patch does not address other concerns.


*Remote Code Execution (RCE) can be an extremely high level of access to the users system and in some cases give complete control over to the attacker.

Be the first to comment

Leave a Reply

Your email address will not be published.


nine − one =