The Zoom vulnerability was originally discovered in June 2023. Despite the discovery being made earlier, the details were only publicly disclosed on November 28, 2023.
Zoom Rooms, the cloud-based video conferencing platform by Zoom, is making headlines due to a recently discovered vulnerability. This flaw poses a significant security risk as it enables attackers to seize control of a Zoom Room’s service account, gaining unauthorized access to the victim organization’s tenant.
Exploiting this Zoom vulnerability allows attackers to hijack meetings, manipulate the Contacts feature, infiltrate organization-wide whiteboards, and extract sensitive data from Team Chat channels, even without an invitation. What’s particularly concerning is that these actions can be carried out without detection.
In June 2023, a researcher at AppOmn discovered a vulnerability in Zoom Rooms during HackerOne’s live hacking event, H1-4420, where Zoom was a participating company. Despite the discovery being made earlier, the details were only publicly disclosed on November 28, 2023.
In a blog post shared with Hackread.com ahead of its scheduled publication on Tuesday, Ciarán Cotter from AppOmni outlined that once attackers gain access to an organization’s tenant, they can infiltrate confidential data shared within Team Chat, Whiteboards, and other Zoom applications.
For your information, Zoom Rooms allow team members from different physical locations to collaborate over Zoom. To set it up, the Zoom Rooms app must be installed on a device, such as an iPad. It serves as a terminal for everyone in the room. This device is of critical importance as it attends the meetings on behalf of all.
When a user creates a Zoom Room, their service account is automatically created with licenses for Whiteboards and Meetings. These accounts possess extensive access within the tenant because of their function as regular team members.
Exploiting the Zoom vulnerability enabled attackers to predict service account email addresses, hijack the accounts, and collect sensitive information. The issue arose because the Zoom Rooms service account ID was directly inherited from the user with the Owner role in the tenant during the account creation process.
This flaw meant that being in the same meeting as a Zoom Room and messaging it on Team Chat could expose the entire email address, given that it followed the format:
With this information, attackers could create an arbitrary Outlook email address that matches the format:
room__<account ID>@outlook.com and use it to follow the Zoom sign-up flow. They would receive the activation link sent to the Zoom Room’s email address. With the control of the email inbox, they can click the link and activate the account.
The issue was further intensified by the fact that service accounts couldn’t be removed from Team Chat channels. However, there’s nothing to be wary of as Zoom has addressed this vulnerability by removing the ability to activate Zoom Room accounts. This prevents threat actors from exploiting this predictable email format and claiming unauthorized access to Zoom room service accounts.
Still, this finding highlights the potential misuse of service accounts to gain unauthorized access to SaaS systems. Service accounts are frequently used by third-party applications to access SaaS data. Therefore, safeguarding these applications and service accounts is critical for maintaining a robust SaaS security posture.
- Zoom Phishing Scam Steals Microsoft Exchange Credentials
- Fake Zoom installers infect PCs with RevCode WebMonitor RAT
- Zoom web client flaw could’ve let hackers crack meetings passcode
- Zoom adds Two-factor authentication (2FA) as extra layer of security
- Fake Zoom meeting invite phishing scam harvests Microsoft credentials
- ‘Zoom account suspended’ phishing scam aims at Office 365 credentials