I just had a WEBEX support session on my server with a person from a company that I would normally trust.
Three Points:
1. The Webex security certificate shows certification to *.webex.com. How do I know for sure that the Webex Support guy connected to me is from GoodGuys.webex.com and not BadGuys.webex.com from this?
2. This is even more amazing: At some point I had to grant full permission to the support guy. He needed to upload a log file, and guess what, he could do it without me seeing anything on my screen! There should have at least been a popup visible at all times with a cancel button. But no, this happens without me knowing what files are being uploaded. (I had a separate process monitor, watching, in my case, what was being uploaded - AFTER I realized Webex had this secret capability.)
3. Even worse, he told me that he could also download something, say a shortcut to my desktop (and here is me thinking), it could actually be a link to any kid of malware. If the shortcut looked innocuous or simply replaced an existing one using the same icon, how would we know we clicked on something bad?
This means, than to the gullible, (and how do I know I REALLY was called by the company I thought I was?) a rogue support person could connect to a corporate system, steal data, and download malware without any indication it was happening. The support person told me that, in his company's case, they actually log all files being uploaded and downloaded and they are reviewed so I wouldn't have to worry. Of course, that's just what BadGuys.webex.com would tell me too.
This should be an eye opener. Shame on Webex for such pitiful safeguards.
Bob.