Oh my god. This is the pinnacle of stupidity and stuff like this is why over time extensions will lose functionality until they will be removed completely. Browser vendors understandably want blunders like this to not be happening.
We're yelling at browser vendors for locking down their browsers more and more and for removing more and more features that allow developers more native access, but then stuff like this happens.
Who thought that exposing the full native OS API via a (cumbersome) scripting language was a good idea? Why does this need to be a browser extension and not something I need to explicitly install on my machine?
Java Applets at least had a sandbox (albeit with flaky security). They have gone away because of security concerns, but as people still need some native access, people build stuff like this that is infinitely worse than what Java has ever been. Instead of a single sandbox, we're now relying on an unlimited amount of only mildly competent developers coming up with elaborate schemes that do nothing but provide a slight bit of obscurity.
That uuid and the base64 encoding of the library name and function calls point to the fact that the developers felt uncomfortable, which is good I guess. That they then chose to use such an impotent method of protection is less so. At this point, why did they even bother?
I'm starting to think that we are actually worse off now than we were in the age of Java Applets and NSAPI plugins
WebEx is the worst conferencing software I've used.
Their Linux support is worst than non-existant. If it were non-existant that would be it, life could go on. But no, they provide a java applet that runs only from firefox, that it's impossible to use audio because they are still at 32bit, that claims to share one application and instead shares your whole screen (and only if you are lucky and someone tells you, you'll ever know), that occasionally (like one hour before an important meeting) they release a version with bad manifests and the applet refuses to download its components.
Even their Android client can't manage the mic volume properly and people can't hear you.
I was asked to join a call yesterday using appear.in[1]. Having never used this service before, I feared the worst and accessed the invitation link a good 20 minutes before the call was due to start.
Using Chromium on Debian, everything worked absolutely smoothly. No further install requested. Audio quality was great. My video picture looked a bit grainy to me, but the other participant appeared very clear on my end.
They're using WebRTC[2], which excludes Explorer and Safari, but covers recent versions of just about everything else.
After poor experiences using Skype, Webex and Hangouts, I was very pleasantly surprised by appear.in
WebEx is not the worst but definitely among those which are considered the worst;-)
Currently my company uses Hangouts, BlueJeans, Zoom, and WebEx - don't know why there is no decision made.
In this context it is the worse - I tried to run it on Linux, like you said now that chrome support is gone, I can only launch the Java (swing - not Java applet for sure) UI via Firefox, end up with crappy slow GUI, no ability for screen sharing & viewing, no audio, utterly useless.
On Linux, web conferencing services that provide a lite (feature rich) version like BlueJeans and GoToMeeting (chrome extension and/or web version) are pleasant to use.
I personally prefer to use Hangouts if no such pure web version is available although Hangouts seems to have lost its gravity…
Tin cans and string are more intelligible than Lync, aka "Skype for Business". It's the worst thing I've ever used in this space, by an absurdly large degree.
I received a Lync / Skype for Business invitation (in G Suite - AKA Gmail) with no time and date, which a URL (custom domain for this company). Clicking on that link, dead link... (later on it was fixed but asked me to install add-on, did it in a Windows virtual machine, join meeting, meeting expired...)
Ridiculous experience, worst web conferencing service I have ever used (I consider it even worse than Oracle Beehive Conferencing - not many people know this). In contrast, WebEx is way better (phone dial-in quality is pretty good).
I believe Oracle is still using Beehive Collaboration Suite https://stbeehive.oracle.com (conferencing as a part of the suite) internally, for email (thunderbird is the preferred client WoW), calendar (CalDAV) etc.
Beehive Conferencing used to be the default option for remote web conferencing (it actually has a better Linux version than WebEx). Beehive's predecessor, cannot even remember the name, use to be Windows ONLY and crashes attendees' Windows (BSOD) randomly (15-20%...) LoL
I have used virtually all commercial conferencing services and aside from the lack of linux support, have found webex to be by far the most stable solution that integrates voice from phone lines (far better quality than voice over ip), video and presentation. Blue Jeans comes close but has very limited countries with phone line support.
agreed. I prefer GoToMeeting whenever possible. I really want to be able to join via VoIP or at least get the system to call me back on my SIP phone (so I have my hands free and can write down notes).
Maybe down to your Webex platform version - at work, we can get a dialback (Cisco SIP phones on desk and softphones), connect via computer or dial in to toll-free or chargeable numbers.
For meetings that fall into my evening, I join conferences via a tablet and the Android App, and connect to audio through it so I can relax or move about the house.
yes, of course, it depends on the webex implementation. But whenever I get a client with webex, they seem to have all good features cut out - and I don't know why.
I use Webex from Chrome every day (macOS). It works great. It's the best conferencing software I've used.
I didn't even know they had any kind of Linux support. Internally, Cisco only supports macOS and Windows on the desktop so it's no wonder the Linux support is bad. If you absolutely need to use Webex then clearly using desktop Linux is a bad idea.
How did they manage to make a Chrome extension that works on Mac but not Linux? Chrome extensions can't contain platform native code, and Chrome doesn't support other kinds of plugins anymore.
Why do you need a extension for that? Wouldn't it be enough for the client app to register a custom URL scheme handler and their website using that custom URL scheme to open the client?
I don't know exactly what the extension does behind the scenes, but I use Webex daily for my job and almost all my clients suggest just using the temporary application to join is a better experience by far. The extension constantly fails to launch the application correctly and from what I'm told does some other non-sense that causes CPU spikes and connectivity issues.
It also doesn't inspire confidence that this is the screenshot of the Chrome Extension they give users to encourage them to use the extension: http://imgur.com/a/Rsy3H
(For those who don't want to click, the screenshot showing the install has the rating from the Chrome Webstore, which is currently at 2 stars)
I mean, I applaud the honesty of showing us what users have rated it, but it just seems kind of sloppy to me.
You can, but that results in a ton of UI where the user has to navigate between "allow" custom protocol and then selecting what applications are allowed to launch via this protocol.
Currently it's a maze of dialogs only technical people are able to navigate successfully. Expecting people already in need of support to manage to bypass this deliberate inconvenience is simply unrealistic.
The company I work for used to maintain a solution based on this approach. It worked well until browser-vendors started tightening up security.
After that we had to come up with a different solution all together, because almost no users managed to configure our integration successfully.
(And that rewrite was a lot of work, so I can see why Cisco/WebEx has been postponing it as much as possible)
Couldn't the also have a webx file extension and launch it that way? Or abuse copy/paste abilities? The former would allow easy desktop bookmarks as well.
They could even, god forbid, accept that it's not possible instead of coming up with "clever" ways to make it possible.
>The extension works on any URL that contains the magic pattern "cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html", which can be extracted from the extensions manifest. Note that the pattern can occur in an iframe, so there is not necessarily any user-visible indication of what is happening, visiting any website would be enough.
It seems bonkers that someone would think it is a good idea to not at the very least have any domain level validation. It is also another mark against the more eyes mean more security mindset. That flaw would be available in clear text to anyone who bothers to examine the manifest of the Chrome extension. It just seems like no white hat bothered to look before.
Tavis is an excellent researcher, but it's important to remember that finding bugs and posting them publicly is his full-time job, so it's not too surprising that he finds a few bugs that are noteworthy every month. He seems to emphasize breadth rather than depth in his searching, which is part of the reason he finds so many! After all, bugs are dense and most software is crap...
I suspect there are many others who are just as capable of doing the same work, but either A) don't have the opportunity (e.g. they have day jobs, few people work on P0) or B) aren't as public about their findings (e.g. exploit brokers, nation states, etc)
Anyway, that's what I remind myself whenever I start thinking "I wish I could be as cool as Tavis". Someday I'd love to have have the opportunity to do the same work.
Agreed, but the fact that he's able to consistently discover horrendous exploits never ceases to impress me. I also love how he has broken basically every major AV software out there.
If he ever decides to leave Google and start his own company / start consulting to software development shops, I don't think he'll have any trouble finding customers.
As a sysadmin who spent years working with Cisco in business, I now advocate business run away, not walk, as fast as possible from Cisco reps, lest they get ahold of your budget and drain it while installing backdoors in your systems, like the NSA loving techno-vampires they are.
I second this. My advisor and I recently visited Cisco to present some embedded security work we've been doing. From what I could gather, they were very interested in ensuring that their customers' applications and devices were secure. They were also looking for ways to provide their customers with ways to check for government backdoors.
There's an honest question about how deep that support goes though. Is it just that group, which is a tiny tiny part of a megacorp? How much influence do they have on the huge number of shipped products? What percentage of shipped Cisco products get a security review?
An alternative line of thought is, making the right noises for the customers while also keeping the bribe budgets liquid, to put it crassly.
Putting my security researcher hat on, maybe this tiny little group's purpose is to figure out and get intel on what directions customers are actually looking in, so they know where to hide stuff.
Actually if you read the paper, the architecture is designed in such a way that the key management server can be implemented as an on-premise box while all the rest of your data lives in Cisco's cloud. In that situation, Cisco has access to your data but it's fully encrypted with keys that they do not have access to, making it a true end-to-end solution. It's a pretty interesting design that allows companies to be the only ones with access to the raw, unencrypted data while still letting Cisco manage everything in the cloud.
Now this does only apply for companies that choose to go with the on-premise KMS, if not, Cisco manages the KMS in their own cloud as well, which does mean it's not a true e2e solution (although like I said, I can speak with a pretty high level of confidence that security is one of the top priorities)
But the client (Cisco software) does the encryption does it not? Therefore it has access to the unencrypted data, therefore can do what it likes with it.
I mean I suppose that's true but that's a terribly weak argument. You could say the same thing about Signal which is considered one of the most secure messaging applications on the market at the moment. It's pretty trivial to monitor network traffic to see that the unencrypted data never leaves your own device
As far as I know, security has always been one of Cisco's top priorities which is one of the reasons they have been so strong in the enterprise market. It's almost inevitable at some point that bugs like the one in the link here pop up but I haven't heard of any backdoors or nefarious practices from Cisco in the past.
Cisco has been strong in the enterprise market because they are good at marketing to the enterprise market, and providing certifications so that they can ensure a labor pool for IT departments.
Part of the marketing is talking about security. It's unclear if the reputation matches reality though.
I say this as someone who has become super disillusioned with Cisco, as the thread originator has. But this is mostly because of their switch products, pricing, configuration management, and end user software. I don't have much experience with their security. Though I have no reason to suspect that it's the least better than any other companies' security based on the amount of patching and their default configurations.
I was prompted to install the plugin for WebEx a few weeks ago to attend an online meeting and am glad I had the right instincts about it. Everything about it screamed "wrong decade".
I'm honestly curious as to why they don't use browser APIs for WebEx. It seems that they don't offer any feature that plenty of others manage to implement with just plain ol' HTML5.
Hard to do 25 user video and audio conferncing with shared desktop, chat, and recording all in HTML5. In fact I don't think I'd be out of line to say that it's impossible, so your assertion that others do so is dubious...
Hangouts does basically that. All of that. With just HTML5 (though they only support Chrome). appear.in does most of that too. And a dozen other tools out there.
www.firefox.com has a score of C, with a recent F score in their grade history.
It looks like this is a really strong set of security requirements. According to their stats, 87% of sites tested have an F score, and only 1.47% have an A- or higher.
firefox.com has a relatively low score because of a goal to keep it accessible by older browsers on older operating systems (i.e., out-of-the-box, you should be able to load it on the oldest systems Firefox supports, which I believe include XP SP2).
Just so that nobody reading the comments gets the wrong idea: read the whole discussion. Fixed here seems very subjective; they only seem to have limited the extension to the webex.com domain. In particular,
> although this does mean any XSS on webex.com would allow remote code execution
and
> doesn't use HTTP Strict Transport Security, either as a header or by being preloaded
My understanding is that this means that not only would any XSS on webex.com lead to possible exploitation, but also that anyone who can MitM your machine, such as in a coffee shop, and use that to gain remote execution by intercepting and faking a request to an unsecured webex.com. (Since no HSTS is in place, the browser would allow it.)
The latter is less likely, but nonetheless, this extension seems to allow anyone who can talk to it an RCE, which seems far from fixed.
Yeah, after a quick look I already found an XSS on a *.webex.com subdomain, but it only works in Internet Explorer and Edge because these browsers doesn't escape URLs, so it doesn't affect the Chrome or Firefox extensions but tells something about how secure these subdomains are (and the IE browsers).
Very good point. My comment is <1h old so I was able to edit it. IMO this issue was unsealed a little hastily; yes, it's not directly attackable now, but as you say the attack vector is still technically there.
We're yelling at browser vendors for locking down their browsers more and more and for removing more and more features that allow developers more native access, but then stuff like this happens.
Who thought that exposing the full native OS API via a (cumbersome) scripting language was a good idea? Why does this need to be a browser extension and not something I need to explicitly install on my machine?
Java Applets at least had a sandbox (albeit with flaky security). They have gone away because of security concerns, but as people still need some native access, people build stuff like this that is infinitely worse than what Java has ever been. Instead of a single sandbox, we're now relying on an unlimited amount of only mildly competent developers coming up with elaborate schemes that do nothing but provide a slight bit of obscurity.
That uuid and the base64 encoding of the library name and function calls point to the fact that the developers felt uncomfortable, which is good I guess. That they then chose to use such an impotent method of protection is less so. At this point, why did they even bother?
I'm starting to think that we are actually worse off now than we were in the age of Java Applets and NSAPI plugins