The GoToWebinar Security Flaw I Couldn’t Talk About

It took six months, but I finally got LogMeIn to fix a nasty bug in GoToWebinar. I made a decision to keep the bug quiet in order to reduce the likelihood of people using it against unwitting webinar presenters. Now the fix is in place and I feel free to talk about it.

The short summary is that webinar attendees had the ability to see presenter webcams during pre-broadcast time when the presenters thought they were in private mode.

To understand the situation, you need to understand how GoToWebinar handles early attendees who login to a webinar before show time. I wrote about this subject several months ago in What Do Your Webinar Attendees See Before You Start?

GoToWebinar allows hosts to choose between two options: They can open the webinar session in Practice Mode, which keeps early attendees in a holding area, not fully connected to the conference, with a message that the meeting will begin when the organizer arrives. Not very welcoming, and it reads as though the host is simply running late.

Or hosts can start the webinar session and refrain from clicking the button that says “Start broadcast.” This lets attendees see a presenter’s shared screen (I usually show a welcoming title slide) and type questions. Presenters can talk to each other and test their webcams without the attendees being able to see or hear.

EXCEPT…

Back in January, I published a post asking readers if they had run across Webinar Webcam Weirdness: Video Showing While Disabled. I had two GoToWebinar attendees inform me that they had been watching all the presenters on webcam during the preshow portion. This baffled me because I was logged in as an attendee myself and verified that the webcam video streams were not showing. How could they be seen by two people and nobody else?

I filed a bug report and received a disappointing response from tech support. “There’s only one other report, and that couldn’t be replicated either. So it’s basically like we don’t believe you. Unless we get several reports, it’s just user error and I can’t escalate it.”

That didn’t sit well with me and I called upon some contacts in the organization to help pull some strings. Sure enough, it got escalated. They analyzed log files and after a month, they figured out the problem.

It turns out that when webcams are turned on at the same time as screen sharing, the webcam videos are displayed in a horizontal strip running across the top of the attendee’s display. The shared screen content is shown below that. Attendees can move the divider line between the two sections to change the relative amount of screen space taken up by the two elements.

In pre-broadcast mode when I showed a welcome slide, attendees saw the divider bar and blank webcam windows above it. If they moved the divider bar all the way up to the top of the screen and then dragged it back down again, the webcam windows were no longer blanked out… They showed the streaming video that the presenters were seeing during preshow.

I made a very short video showing this operation in practice. It might be hard to visualize from the preceding description, but you’ll grasp it quickly if you watch the minute and a half video explanation. (If the embedded video does not play in your reader, you can see it on YouTube at https://youtu.be/MVD3rPhIt4o

I think we can all agree that you don’t want to be broadcasting to the public without knowing it. Sure, in most cases preshow video is perfectly innocuous. But what if there was confidential information written on a white board behind a presenter and they weren’t worried about erasing it immediately, safe in the knowledge that nobody would see it until we went public? Even worse is the idea of a single presenter thinking that nobody can see him or her until the broadcast starts. I gave a few examples in my video of how embarrassing THAT could be! I have even had presenters hold up documents or photos to the camera during preshow to share personal items with me that they might not want the public to see.

After a few false starts (“Hey Ken, we fixed it.” “No you didn’t.” “Yes, we did.” “I’ll show you.” “Oh, I guess we didn’t.”), LogMeIn rolled out version 10.17.0 last week and I verified that the behavior is finally gone.

Now in pre-broadcast mode, the webcam portion of the screen is suppressed and the shared screen content takes up the entire display for attendees. Once the organizer clicks Start broadcast, the webcam area shows up and attendees can move the divider line to change the screen space devoted to the different content areas. Perfect.

So now you know the story and can lament the fact that you missed your opportunity to spy on presenters when they thought nobody could see them.