User Community Feedback

Submitted ideas will be evaluated by our product teams for upcoming releases and will be responded to so you know where things stand. For product support, please use the community forums or contact TAC.

NOTE: All Cisco employees & Channel Partners must enter Ideas through this Ideas Portal.

Changes of Webex email address via the APIs should trigger notification emails as they would if changed via or

If we change a Webex users email address (say by or then the original email address is sent an email identifying that a change has been made and to check the new emails address; the new email address receives a similar notification, but also contains a "confirm email" button to complete/confirm the changing of email address.

If the email address change is made by API call then no such emails are sent.

This lack of confirmation will be seen as a security loophole, allowing people to randomly change the email address associated with a Webex account (e.g. to their own email!), so needs resolving a.s.a.p. please before our customers/resellers recognise this limitation and complain to us.

I appreciate that when a change is made via API call, the change can only be made by an Org Administrator, and that a user who's given the Administrator role should be vetted by the Org to ensure that they are capable of managing users correctly and not cause any issues where they purposely change user information without that user's consent.

However, even if the change is made by an Administrator, I would think that from a security perspective, the impacted end user ought to be informed (as a double-check that nothing awry is going on) - standard security principles state that you should “always protect against the malicious insider” (especially if they have elevated privilege)!

I also note that in most cases I have experienced, even if I change my own email address on a website or in an application, both my old and new email addresses are notified …

  • Pete Shenton
  • Mar 16 2022