A critical vulnerability in Zoom Room enabled malicious actors to take over control of meetings and pilfer confidential information.
The Zoom vulnerability was initially identified in June 2023. Although the discovery occurred earlier, the specific information was only publicly revealed on November 28, 2023.
Zoom Vulnerability – Zoom Room – Zoom, a leading video conferencing platform, is under scrutiny due to a critical vulnerability discovered in Zoom Rooms, a feature designed for collaborative meetings in physical spaces. Researchers at AppOmn identified this flaw during the HackerOne live hacking event H1-4420 in June 2023, raising concerns about potential unauthorized access to Zoom tenants.
The vulnerability enables attackers to seize control of Zoom Room service accounts, providing access to the victim organization’s tenant. This poses lead to a significant security risk as it allows attackers invisibly access to infiltrate confidential data within Team Chat, Whiteboards, and other Zoom applications without detection. While acknowledging the severity of the issue, Zoom promptly addressed it and clarified that it had no impact on production tenants.
Understanding the Zoom Room Vulnerability and Its Far-reaching Consequences
The exploit involves predicting service account email addresses, a process facilitated by Zoom’s automatic assignment of email addresses in the format rooms_<account ID>@companydomain.com. The account ID, derived from the user ID value of the service account, inherits the email domain from the user with the Owner role during account creation.
Ciarán Cotter from AppOmni, in a blog post shared with Hackread.com, highlighted the implications of the vulnerability. Once attackers gain access to an organization’s tenant, they can compromise confidential data shared within Team Chat, Whiteboards, and other Zoom applications. For your information, Zoom Rooms, facilitating collaboration among team members in different physical locations, relies on service accounts created with licenses for Whiteboards and Meetings. These service accounts possess extensive access within the tenant, resembling regular team members.
The flaw becomes more critical when attackers, in the same meeting as a Zoom Room, message it on Team Chat, exposing the entire email address in the format rooms_<account ID>@companydomain.com. Exploiting this information, threat actors can create arbitrary Outlook email addresses, matching the format room__<account ID>@outlook.com. Then by Following the Zoom sign-up flow, they receive an activation link sent to the Zoom Room’s email address, allowing them to activate the compromised account.
Compounding the security concern, by the fact service accounts could not be removed from Team Chat channels. Researchers noted that Room users, including the Owner, could persistently view the contents of any channel, including confidential information, invisibly. This discovery highlights the potential misuse of service accounts to gain unauthorized access to SaaS systems.
Addressing the Vulnerability: Zoom’s Swift Response and the Imperative for Heightened Security Measures
Zoom responded to this vulnerability by removing the ability to activate Zoom Room accounts, preventing threat actors from exploiting the predictable email format. This incident underscores the importance of continuous need for enhancing security measures in widely-used collaboration tools like Zoom Rooms. We urge organizations to stay vigilant in the face of evolving security threats, ensuring robust protection against unauthorized access to sensitive organizational data.
