Cisco patches permission hijacking issue in WebEx Meetings app for Android

150817 google marshmallow 03

A statue for Google's Android Marshmallow operating system sits on the Google campus in Mountain View on August 17, 2015.

Credit: Martyn Williams

The flaw allowed rogue apps to gain the same permissions as Cisco's app

RELATED TOPICS

Cisco has fixed a vulnerability in its WebEx Meetings application for Android that allowed potentially rogue applications to hijack its permissions.

The issue, which affected all versions of the app older than 8.5.1, stemmed from the way custom application permissions were implemented and assigned at initialization time.

In addition to the default permissions defined by the OS, applications can declare and request custom permissions, a feature that the Android developers recommend be used only if absolutely necessary. It is also possible for apps to request to use custom permissions declared by another application.

An attacker could trick users to download a rogue application to their Android device and then use it to exploit the WebEx vulnerability to gain the same permissions, Cisco said in an advisory Tuesday.

Cico WebEx Meetings is a Web conferencing application that supports two-way video communications. Its permissions are extensive and include access to find, add and remove accounts and contacts from the device; access to take pictures and record audio and access to read and modify the contents of the USB storage.

Users should make sure that they're running Cisco WebEx Meetings 8.5.1 or newer. The latest version is available on Google Play.

RELATED TOPICS
Crash Course: Advanced beginner's guide to R
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies