Cisco patches permission hijacking issue in WebEx Meetings app for Android

The flaw made it possible for rogue apps to hijack the Cisco app's permissions

Cisco patches permission hijacking issue in WebEx Meetings app for Android

A statue for Google's Android Marshmallow operating system sits on the Google campus in Mountain View on August 17, 2015.

Credit: Martyn Williams

Cisco has fixed a vulnerability in its WebEx Meetings application for Android that allowed potentially rogue applications to hijack its permissions.

The issue, which affected all versions of the app older than 8.5.1, stemmed from the way custom application permissions were implemented and assigned at initialization time.

In addition to the default permissions defined by the OS, applications can declare and request custom permissions, a feature that the Android developers recommend be used only if absolutely necessary. It is also possible for apps to request to use custom permissions declared by another application.

An attacker could trick users to download a rogue application to their Android device and then use it to exploit the WebEx vulnerability to gain the same permissions, Cisco said in an advisory Tuesday.

Cico WebEx Meetings is a Web conferencing application that supports two-way video communications. Its permissions are extensive and include: access to find, add and remove accounts and contacts from the device; access to take pictures and record audio and access to read and modify the contents of the USB storage.

Users should make sure that they're running Cisco WebEx Meetings 8.5.1 or newer. The latest version is available on Google Play.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.