[cisco-voip] Strange Webex Meetings PMR URI Thing
Anthony Holloway
avholloway+cisco-voip at gmail.com
Tue Apr 9 12:35:50 EDT 2019
Update
I had a two people contact me off list shortly after I sent the initial
email:
- One person recommended reporting to PSIRT, which I did, but I never heard
anything back
- One person said they were reaching out to Webex contacts to confirm, but
I never heard back
It's still a problem, and here's a small insight:
>From the end user perspective, the PMR URL ends with /anthony, but from the
Control Hub advanced user settings page, it shows that it ends with
/aholloway.
[image: image.png]
On Wed, Mar 6, 2019 at 2:47 PM Anthony Holloway <
avholloway+cisco-voip at gmail.com> wrote:
> I am wondering if anyone else knows why this might be happening, or if
> they have even themselves experienced this.
>
> I am a Cisco Partner, and thus, have a Partner Account for Webex Control
> Hub, and several customers in there, for which we manage. I am a Partner
> Admin.
>
> I am a Full Admin in the Customer view.
>
> My own company's Webex is classic admin site Webex, and my own personal
> PMR is (sub-domains sanitized):
>
> https://mycompany.webex.com/meet/anthony
>
> If I go to one of my Customer's Webex sites, but using my PMR URI, e.g.,
>
> https://mycustomer.webex.com/meet/anthony
>
> It will stay on their sub-domain, but utilize my own Company PMR.
>
> I do have an account on the customer site, but my email address is one of
> their domain addresses, and my PMR URI is:
>
> https://mycustomer.webex.com/meet/aholloway
>
> As a test, I took another Customer, but one I don't work on, nor have an
> account there, and tried to access my own Comapny PMR URI but at their
> sub-domain, and it works there too:
>
> https://anothercustomer.webex.com/meet/anthony
>
> What's happening here?
>
> I'm feeling like it has something to do with my Partner Admin role/Full
> Admin Customer role, but then I tried a co-workers PMR URI in the same
> scenarios and it doesn't work for them. e.g.,
>
> https://mycustomer.webex.com/meet/coworker
>
> I also tried it in private browsing mode, and on a different computer, and
> it still works, so I'm certain its not because of some cached info or
> installation on my PC.
>
> As another test, I have a few other customers in control hub, but who have
> their Webex managed in classic Webex, and this trick doesn't work there.
> Correlation? I don't know.
>
> As one last test, I tried several other (non-customers to me) webex hosted
> sites, just to see if it works, but of all of the ones I tested (E.g.,
> cisco.webex.com, cigna.webex.com, medtronic.webex.com, target.webex.com,
> etc.), it never worked elsewhere; just with my own customers.
>
> I could trick people into joining my PMR as a representative of another
> company, where I don't even have an account, and possibly get them to
> divulge information, or worse, allow me to control their PC.
>
> But then again, this might be by design, of the control hub, and the way
> the partner piece is setup.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190409/bab55904/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 199778 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190409/bab55904/attachment.png>
More information about the cisco-voip
mailing list