A critical security vulnerability in Cisco Webex Connect allowed unauthorized access to millions of customer support chat histories of every organization from government agencies to Fortune 500.
The flaw, discovered by researchers at Orion Security, affected both internal IT help desk systems and external customer-facing support environments.
The vulnerability stemmed from a critical design flaw in how Cisco Webex Connect (previously IMI Chat) handled authentication. The system inappropriately used a public clientKey as a secretKey for sensitive API calls, which could be exploited to access chat histories without proper authorization.
The exploit chain involved multiple steps, beginning with accessing the chat widget's settings endpoint to obtain configuration data and a clientKey. This clientKey could then be used to create and list chat threads, ultimately enabling unauthorized access to complete chat histories through the GetPreviousChatHistory API endpoint.
What made this vulnerability particularly concerning was that attackers only needed an organization's app_uuid and domain origin to potentially access sensitive communications.
"Live chat systems are interesting attack vectors because chat histories contain a trivial amount of sensitive customer data," explained Rojan Rijal, CEO of Orion Security. "The data that could be extracted could range from customer PII to answers to security questionnaires and even credentials to internal systems."
The compromised chat histories could contain various types of sensitive data, including customer personally identifiable information (PII), responses to security questionnaires, and even credentials to internal systems.
The vulnerability was first reported in July 2024 and the initial fix was deployed in October 2024, which was proved bypassable, leading to additional patches in December 2024 and January 2025.