A Zoom flaw that enabled the hijacking of service accounts with access to potentially confidential information was disclosed by bug hunters this week.
The vulnerability in the Zoom Rooms feature mostly affected Zoom tenants using email addresses from large providers like Outlook and Gmail.
The flaw was first discovered at an ethical hacking and bug bounty event in June and patched by Zoom prior to its disclosure, with no known use in the wild.
The post explains how he and his colleagues used the vulnerability to gain access to Zoom Rooms service accounts at the HackerOne H1-4420 event on June 22.
Zoom was a sponsor of the event and awarded bug bounty payouts to participating white-hat hackers.
"This vulnerability had the potential to allow an attacker to claim a Zoom Room's service account and gain access to the victim's organization's tenant," Cotter wrote.
"As a service account, an attacker would have invisible access to confidential information in Team Chat, Whiteboards, and other Zoom applications."
Zoom Rooms is a feature that allows video conferencing between teams in separate physical locations, such as when a company has offices in multiple cities or wants to bring in-person and remote workers into the same meeting.
As opposed to an individual's Zoom account, the Zoom Room service account represents everyone at a particular location, such as a conference room, and "Attends" Zoom meetings through one device at that location.
Finding out the service email address of a Zoom Room to exploit was relatively easy; the address is available to anyone who attends a meeting with a Room or messages the Room on Team Chat.
Once the account hijacker gained access to the Zoom tenant, they would be able to use it to join or host meetings, view the organization's contacts, and access the organization's Whiteboards and Team Chat channels.
AppOmni also discovered that the Room account could not be removed from any Team Chat channels by any administrator or the Owner.
"Following several conversations with the Zoom team, the vulnerability was validated and promptly remediated," according to Cotter.
"To mitigate this issue, Zoom removed the ability to activate Zoom Room accounts."
A Zoom spokesperson told SC Media, "We have resolved this security issue. As always, we recommend users keep up to date with the latest version of Zoom to take advantage of Zoom's newest features and security updates."
The white-hat hackers that discovered the bug received a $5,000 payout from Zoom's bug bounty program, according to Cotter, who tweeted that Zoom rated the bug severity as "High" under its own Vulnerability Impact Scoring System.
Zoom has implemented a range of measures to improve its products' security in the years since the COVID-19 lockdown that rocketed the company into the public spotlight.
Zoom was heavily criticized due to a number of zero-day vulnerabilities and privacy problems plaguing the influx of new users.
As part of its efforts to boost security, it beefed up its bug bounty program and vulnerability disclosure efforts in 2020, working with HackerOne and Bugcrowd to help discover flaws.
Zoom awarded $3.9 million in bounties in fiscal year 2023, and more than $7 million since the program began.
This Cyber News was published on packetstormsecurity.com. Publication date: Fri, 01 Dec 2023 23:06:57 +0000