[cisco-voip] Your Associated Webex Sites

Tue Sep 10 09:39:22 EDT 2019

PSIRT contacted/raised.  I linked them to this thread.

On Mon, Sep 9, 2019 at 5:15 PM Brian Meade <bmeade90 at vt.edu> wrote:

> Technically you can still be associated to multiple sites even with
> Control Hub such as having a Meeting Center and Event Center license.
>
> Most of it seems to be accounting for Site Administration use cases where
> your email address could exist across multiple organizations.
>
> This is an interesting thing along with how you found that each site you
> are Partner Admin for allows you to have a PMR on their site.  It's mainly
> just applicable to us Cisco partners.  I'd reach out to PSIRT about it and
> see what they think.
>
> I did test with Fiddler and that API request doesn't seem to be documented
> anywhere which is interesting.
>
> On Mon, Sep 9, 2019 at 1:21 PM Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
>
>> I think this is because in old site admin days, which still exist, your
>> userID / password combo is (can be) stored with the site itself. So, in
>> reality, you can have multiple (different) passwords.
>>
>> *-sent from mobile device-*
>>
>>
>> *Lelio Fulgenzi, B.A.* | Senior Analyst
>>
>> Computing and Communications Services | University of Guelph
>>
>> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
>> N1G 2W1
>>
>> 519-824-4120 Ext. 56354 <519-824-4120;56354> | lelio at uoguelph.ca
>>
>>
>>
>> www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook
>>
>>
>>
>> [image: University of Guelph Cornerstone with Improve Life tagline]
>>
>> On Sep 9, 2019, at 1:03 PM, Anthony Holloway <
>> avholloway+cisco-voip at gmail.com> wrote:
>>
>> I don't know Brian.  My work email is only associated to a single
>> password, not multiple.  Ask me for my password, and then show me my list
>> of sites.  Makes sense in my head.
>>
>> On Mon, Sep 9, 2019 at 9:59 AM Brian Meade <bmeade90 at vt.edu> wrote:
>>
>>> This would be a big change most likely on the Webex side.  They can't
>>> authenticate until they know which site and manually entering site URL's is
>>> probably a no-go for end users.  A bit similar to Zoom's issue trying to
>>> focus more on faster join times/easier experience over security.
>>>
>>> On Mon, Sep 9, 2019 at 10:01 AM Anthony Holloway <
>>> avholloway+cisco-voip at gmail.com> wrote:
>>>
>>>> Exactly!  Ok, so now you are seeing what I am seeing.  Just imagine if
>>>> one were so inclined to use Fiddler to see what call the app was making to
>>>> the cloud, and then use that knowledge in a python script to automate the
>>>> scraping of this data.  Not that I did that.  Laughs in PSIRT.
>>>>
>>>> On Mon, Sep 9, 2019 at 8:56 AM Brian Meade <bmeade90 at vt.edu> wrote:
>>>>
>>>>> I just did some testing here.  I'm also seeing some Control Hub-only
>>>>> customers in my list.  I'm set as a partner admin only for those accounts.
>>>>>
>>>>> On Mon, Sep 9, 2019 at 9:32 AM Matthew Loraditch <
>>>>> MLoraditch at heliontechnologies.com> wrote:
>>>>>
>>>>>> Ohhhhh, Interesting. Everyone we have is on CI and Control Hub, so I
>>>>>> don’t see other sites.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Matthew Loraditch
>>>>>> Sr. Network Engineer
>>>>>> p: *443.541.1518* <443.541.1518>
>>>>>> w: *www.heliontechnologies.com* <http://www.heliontechnologies.com/>
>>>>>>  |  e: *MLoraditch at heliontechnologies.com*
>>>>>> <MLoraditch at heliontechnologies.com>
>>>>>> [image: Helion Technologies] <http://www.heliontechnologies.com/>
>>>>>> [image: Facebook] <https://facebook.com/heliontech>
>>>>>> <image663219.png> <https://twitter.com/heliontech>
>>>>>> <image003980.png>
>>>>>> <https://www.linkedin.com/company/helion-technologies>
>>>>>> *From:* Brian Meade <bmeade90 at vt.edu>
>>>>>> *Sent:* Monday, September 9, 2019 9:25 AM
>>>>>> *To:* Matthew Loraditch <MLoraditch at heliontechnologies.com>
>>>>>> *Cc:* Anthony Holloway <avholloway+cisco-voip at gmail.com>; Charles
>>>>>> Goldsmith <w at woka.us>; Cisco VoIP Group <cisco-voip at puck.nether.net>
>>>>>> *Subject:* Re: [cisco-voip] Your Associated Webex Sites
>>>>>>
>>>>>>
>>>>>>
>>>>>> I think the issue he's talking about is when logging in to something
>>>>>> such as the Webex Meetings App.  After entering your email address, you get
>>>>>> a list of sites to choose from.  Technically you could enter anyone's email
>>>>>> address and see what Webex sites they have an account on.
>>>>>>
>>>>>>
>>>>>>
>>>>>> This mostly seems to be Site Admin sites since you can't have the
>>>>>> same email in 2 different control hub organizations.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Sep 9, 2019 at 8:15 AM Matthew Loraditch <
>>>>>> MLoraditch at heliontechnologies.com> wrote:
>>>>>>
>>>>>> The only list I can think of is behind the sign in screen for webex
>>>>>> admin and it only lists the accounts you have been given access to so I’m
>>>>>> not sure how or why this would ever be a problem? It’s no different than
>>>>>> looking at my deal list in CCW or say your accounting departments list of
>>>>>> accounts? Unless I’m missing what you are thinking about?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Matthew Loraditch***
>>>>>>
>>>>>> *Sr. Network Engineer*
>>>>>>
>>>>>> p: *443.541.1518* <443.541.1518>
>>>>>>
>>>>>> w: *www.heliontechnologies.com* <http://www.heliontechnologies.com/>
>>>>>>
>>>>>>  |
>>>>>>
>>>>>> e: *MLoraditch at heliontechnologies.com*
>>>>>> <MLoraditch at heliontechnologies.com>
>>>>>>
>>>>>> <image006.png> <http://www.heliontechnologies.com/>
>>>>>>
>>>>>> [image: Facebook] <https://facebook.com/heliontech>
>>>>>>
>>>>>> [image: Twitter] <https://twitter.com/heliontech>
>>>>>>
>>>>>> <image005.png> <https://www.linkedin.com/company/helion-technologies>
>>>>>>
>>>>>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> *On Behalf
>>>>>> Of *Anthony Holloway
>>>>>> *Sent:* Monday, September 9, 2019 8:11 AM
>>>>>> *To:* Charles Goldsmith <w at woka.us>
>>>>>> *Cc:* Cisco VoIP Group <cisco-voip at puck.nether.net>
>>>>>> *Subject:* Re: [cisco-voip] Your Associated Webex Sites
>>>>>>
>>>>>>
>>>>>>
>>>>>> Correct, mostly for Partners, since:
>>>>>>
>>>>>>
>>>>>>
>>>>>> A) We have a higher quantity than end customers
>>>>>>
>>>>>> B) The list of sites acts like a list of customers we do business
>>>>>> with (past, current and future)
>>>>>>
>>>>>> C) Lists off all end customer sites too (which, depending on how the
>>>>>> site names are being used, could give insight into the business; E.g.,
>>>>>> divisions, project names, future name changes indicating: splits, mergers,
>>>>>> re-branding, etc.
>>>>>>
>>>>>>
>>>>>>
>>>>>> However, I would think it would apply to end customers themselves
>>>>>> too.  Not only for option C above, but I can also see a situation where if
>>>>>> two customer names were put side-by-side on the same list, that could cause
>>>>>> an issue.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Sep 9, 2019 at 1:04 AM Charles Goldsmith <w at woka.us> wrote:
>>>>>>
>>>>>> Lelio, I think this mainly applies to partners, since we can see our
>>>>>> customer sites.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Anthony, I don't think there is a public listing of your sites, not
>>>>>> that I've seen anyway.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Sep 9, 2019 at 12:07 AM Lelio Fulgenzi <lelio at uoguelph.ca>
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> I’m not quite sure I understand the question.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Are you asking about a public index of sites?
>>>>>>
>>>>>>
>>>>>>
>>>>>> I know that configuration-wise, you can choose to list meetings on a
>>>>>> site. We’ve chosen to not do that. So the worst that can happen is some
>>>>>> gets to our WebEx landing page.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I’m not sure what hiding a site helps with. Or helps deter.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I mean, I’ve got our site listed on our service pages. They’re not
>>>>>> restricted, so anyone can find it.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Logins are protected by SSO, so we’ve got that going too.
>>>>>> Protection-wise, I mean.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Is there something I’m missing?
>>>>>>
>>>>>>
>>>>>>
>>>>>> Are you gonna make me loose sleep now!??? :)
>>>>>>
>>>>>>
>>>>>>
>>>>>> *-sent from mobile device-*
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Lelio Fulgenzi, B.A.* | Senior Analyst
>>>>>>
>>>>>> Computing and Communications Services | University of Guelph
>>>>>>
>>>>>> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON
>>>>>> | N1G 2W1
>>>>>>
>>>>>> 519-824-4120 Ext. 56354 <519-824-4120;56354> | lelio at uoguelph.ca
>>>>>>
>>>>>>
>>>>>>
>>>>>> www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sep 8, 2019, at 2:45 PM, Anthony Holloway <
>>>>>> avholloway+cisco-voip at gmail.com> wrote:
>>>>>>
>>>>>> All,
>>>>>>
>>>>>>
>>>>>>
>>>>>> I want to take the pulse on a topic here, relating to your list of
>>>>>> associated Webex sites, and whether or not they are private to you, or if
>>>>>> they should be public information.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I was talking with a colleague about this ever growing list of
>>>>>> customers we work with being cataloged by Webex in the fact that we keep
>>>>>> getting associated to more and more customers, and what potential issue
>>>>>> this may cause if the site list were to be viewed by just anyone on the
>>>>>> internet.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Would you want your site list (whether end customer or partner admin)
>>>>>> protected from view of others, or is it not that big of a deal?
>>>>>>
>>>>>>
>>>>>>
>>>>>> And I guess as a follow up, is this list protected today, or is there
>>>>>> a means by which my list can be exposed to the public relatively easily?
>>>>>>
>>>>>> _______________________________________________
>>>>>> cisco-voip mailing list
>>>>>> cisco-voip at puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>>
>>>>>> _______________________________________________
>>>>>> cisco-voip mailing list
>>>>>> cisco-voip at puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>>
>>>>>> _______________________________________________
>>>>>> cisco-voip mailing list
>>>>>> cisco-voip at puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>>
>>>>>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190910/d8797c98/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 431 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190910/d8797c98/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 561 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190910/d8797c98/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image354655.png
Type: image/png
Size: 9409 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190910/d8797c98/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image819158.png
Type: image/png
Size: 431 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190910/d8797c98/attachment-0003.png>