Cyber Security News

Cisco Webex Chat Vulnerabilities Expose Organization Chat Histories to Attackers

A major cybersecurity vulnerability in Cisco Webex Chat (previously known as IMI Chat) has raised alarming concerns after it was revealed that unauthenticated attackers could access the chat histories of organizations using the platform.

First identified in July 2024, the flaw exposed sensitive communications from hundreds, potentially thousands, of organizations spanning internal IT help desks to customer-facing operations.

Critical Exposure of Sensitive Data

Cisco Webex Chat, acquired in 2021 following the purchase of IMI Engage by IMImobile PLC, is widely used for live chat support.

The tool enables organizations to integrate a chat widget into web applications for customers or internal staff.

Example of how to embed the Webex Chat (IMI Chat) widget in a web page

However, this functionality became an attack vector due to the insecure use of a “clientKey” — originally intended as a public identifier — which was also employed as a secretKey for sensitive API calls.

The issue allowed threat actors to list and retrieve chat thread metadata and even access the full historical conversation logs.

These logs could potentially contain sensitive customer information, personally identifiable information (PII), internal credentials, and responses to security queries.

How the Exploit Works

The flaw was rooted in the way chat threads were initialized and managed via backend API calls. Researchers discovered the following:

  • Thread Initialization: The /threads API endpoint used the clientKey to create new chat sessions but also inadvertently allowed the listing of existing threads.
  • Unauthorized Thread Access: By sending a GET request with the clientKey, attackers could retrieve metadata for ongoing and past chat threads, including thread identifiers (UUIDs).
  • Chat History Retrieval: Attackers could exploit another API call, GetPreviousChatHistory, to access the complete text content of chat threads. Parameters like the app UUID, client ID, and thread ID — which could be harvested via earlier steps — were enough to retrieve sensitive conversation logs.

Proof-of-Concept and Real-World Impact

According to the Ophion Security blog, Researchers created a proof-of-concept (PoC) script that demonstrated how attackers could exploit this vulnerability with only minimal information, such as the app UUID embedded in the widget’s JavaScript or the domain origin hosting the chat.

POST /rtmsAPI/api/v3/apps/CLIENT_ID/threads HTTP/2
Host: CUSTOMERNAME-usor.apps-imiconnect.io
Content-Length: 165
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36
Content-Type: application/json
Accept: */*
Secretkey: CLIENT_KEY
Priority: u=1, i

{"title":"da0f3fca-5f21-4b8b-b76d-1bf5baf5813c_APP_ID_ALLOWED_ORIGIN_1727372312156","type":"Conversation","status":"Active"}

Tested against a real organization, the script successfully accessed all historical chat logs, revealing sensitive discussions between employees and IT teams.

This significant oversight by Cisco underscores the risks of inadequate security in SaaS products. Chat systems, widely assumed to be secure environments, can hold critical information that attackers can leverage for further exploits.

Organizations using Cisco Webex Chat are strongly advised to immediately audit their environments and ensure they are using a patched or updated version of the software.

Cisco must also prioritize revisions to its authentication and API handling mechanisms to safeguard sensitive customer and organizational data from future attacks.

As cybersecurity concerns continue to escalate, this incident serves as a stark reminder of the critical need for rigorous security testing and monitoring in enterprise SaaS tools.

Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Pathfinder AI – Hunters Announces New AI Capabilities for Smarter SOC Automation

Pathfinder AI expands Hunters' vision for AI-driven SOCs, introducing Agentic AI for autonomous investigation and…

2 hours ago

Google Secretly Tracks Android Devices Even Without User-Opened Apps

A recent technical study conducted by researchers at Trinity College Dublin has revealed that Google…

3 hours ago

LLMjacking – Hackers Abuse GenAI With AWS NHIs to Hijack Cloud LLMs

In a concerning development, cybercriminals are increasingly targeting cloud-based generative AI (GenAI) services in a…

3 hours ago

Microsoft Strengthens Trust Boundary for VBS Enclaves

Microsoft has introduced a series of technical recommendations to bolster the security of Virtualization-Based Security…

4 hours ago

Hackers Exploiting Business Relationships to Attack Arab Emirates Aviation Sector

A sophisticated cyber espionage campaign targeting the aviation and satellite communications sectors in the United…

4 hours ago

Microsoft Removing DES Encryption from Windows 11 24H2 and Windows Server 2025″

Microsoft has announced the removal of the Data Encryption Standard (DES) encryption algorithm from Kerberos…

4 hours ago