<div dir="ltr"><div>Update</div><div><br></div><div>I had a two people contact me off list shortly after I sent the initial email:</div><div><br></div><div>- One person recommended reporting to PSIRT, which I did, but I never heard anything back</div><div>- One person said they were reaching out to Webex contacts to confirm, but I never heard back</div><div><br></div><div>It's still a problem, and here's a small insight:</div><div><br></div><div>From the end user perspective, the PMR URL ends with /anthony, but from the Control Hub advanced user settings page, it shows that it ends with /aholloway.</div><div><br></div><div><div><img src="cid:ii_jua047qw0" alt="image.png" style="margin-right: 0px;"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 6, 2019 at 2:47 PM Anthony Holloway <<a href="mailto:avholloway%2Bcisco-voip@gmail.com">avholloway+cisco-voip@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">I am wondering if anyone else knows why this might be happening, or if they have even themselves experienced this.<div><br></div><div>I am a Cisco Partner, and thus, have a Partner Account for Webex Control Hub, and several customers in there, for which we manage. I am a Partner Admin.</div><div><br></div><div>I am a Full Admin in the Customer view.</div><div><br></div><div>My own company's Webex is classic admin site Webex, and my own personal PMR is (sub-domains sanitized):</div><div><br></div><div><a href="https://mycompany.webex.com/meet/anthony" target="_blank">https://mycompany.webex.com/meet/anthony</a></div><div><br></div><div>If I go to one of my Customer's Webex sites, but using my PMR URI, e.g.,</div><div><br></div><div><a href="https://mycustomer.webex.com/meet/anthony" target="_blank">https://mycustomer.webex.com/meet/anthony</a></div><div><br></div><div>It will stay on their sub-domain, but utilize my own Company PMR.</div><div><br></div><div>I do have an account on the customer site, but my email address is one of their domain addresses, and my PMR URI is:</div><div><br></div><div><a href="https://mycustomer.webex.com/meet/aholloway" target="_blank">https://mycustomer.webex.com/meet/aholloway</a></div><div><br></div><div>As a test, I took another Customer, but one I don't work on, nor have an account there, and tried to access my own Comapny PMR URI but at their sub-domain, and it works there too:</div><div><br></div><div><a href="https://anothercustomer.webex.com/meet/anthony" target="_blank">https://anothercustomer.webex.com/meet/anthony</a></div><div><br></div><div>What's happening here?</div><div><br></div><div>I'm feeling like it has something to do with my Partner Admin role/Full Admin Customer role, but then I tried a co-workers PMR URI in the same scenarios and it doesn't work for them. e.g.,</div><div><br></div><div><a href="https://mycustomer.webex.com/meet/coworker" target="_blank">https://mycustomer.webex.com/meet/coworker</a></div><div><br></div><div>I also tried it in private browsing mode, and on a different computer, and it still works, so I'm certain its not because of some cached info or installation on my PC.</div><div><br></div><div>As another test, I have a few other customers in control hub, but who have their Webex managed in classic Webex, and this trick doesn't work there. Correlation? I don't know.</div><div><br></div><div>As one last test, I tried several other (non-customers to me) webex hosted sites, just to see if it works, but of all of the ones I tested (E.g., <a href="http://cisco.webex.com" target="_blank">cisco.webex.com</a>, <a href="http://cigna.webex.com" target="_blank">cigna.webex.com</a>, <a href="http://medtronic.webex.com" target="_blank">medtronic.webex.com</a>, <a href="http://target.webex.com" target="_blank">target.webex.com</a>, etc.), it never worked elsewhere; just with my own customers.</div><div><br></div><div>I could trick people into joining my PMR as a representative of another company, where I don't even have an account, and possibly get them to divulge information, or worse, allow me to control their PC.</div><div><br></div><div>But then again, this might be by design, of the control hub, and the way the partner piece is setup.</div><div></div></div></div>
</blockquote></div></div>