A Zoom flaw that enabled the hijacking of service accounts with access to potentially confidential information was disclosed by bug hunters this week.
The vulnerability in the Zoom Rooms feature mostly affected Zoom tenants using email addresses from large providers like Outlook and Gmail. The flaw was first discovered at an ethical hacking and bug bounty event in June and patched by Zoom prior to its disclosure, with no known use in the wild.
AppOmni Offensive Security Engineer Ciarán Cotter first wrote about the details of the bug in a blog post Tuesday. The post explains how he and his colleagues used the vulnerability to gain access to Zoom Rooms service accounts at the HackerOne H1-4420 event on June 22. Zoom was a sponsor of the event and awarded bug bounty payouts to participating white-hat hackers.
“This vulnerability had the potential to allow an attacker to claim a Zoom Room’s service account and gain access to the victim’s organization’s tenant,” Cotter wrote. “As a service account, an attacker would have invisible access to confidential information in Team Chat, Whiteboards, and other Zoom applications.”
How could Zoom accounts be hijacked?
Zoom Rooms is a feature that allows video conferencing between teams in separate physical locations, such as when a company has offices in multiple cities or wants to bring in-person and remote workers into the same meeting.
As opposed to an individual’s Zoom account, the Zoom Room service account represents everyone at a particular location, such as a conference room, and “attends” Zoom meetings through one device at that location.
When a Zoom Room service account is first created, it is automatically assigned an email address generated by Zoom following the format “rooms_<account ID>@<domain name>.” The account ID is the user ID value of the service account, and the email domain name is always the same as that of the user with the Owner role in the organization’s Zoom tenant. For example, if the Owner’s email address is "[email protected]" and the account ID is 12345, the Zoom Room service email would be “[email protected].”
The AppOmni team found that if a hacker could create an email account with an identical name to the email address generated for the Zoom Room, they could use this email address to sign up for Zoom, activate the account and then use it to log in to the victim’s Zoom tenant. Cotter explained how this is possible in a comment on X (formerly known as Twitter).
“Rooms operate as service accounts, they were never activated until we activated them. There was something weird in the backend that let the Room serve its purpose as a service account without activation, allowing us to sign up with it,” Cotter wrote under his online handle monkehack.
Zoom hack could potentially leak confidential info
The main targets of exploitation of this bug would likely have been organizations that use free, widely available email providers like Outlook or Gmail. For example, if the Rooms email address is [email protected], anyone could easily create and access a Gmail account with this same name for free. Finding out the service email address of a Zoom Room to exploit was relatively easy; the address is available to anyone who attends a meeting with a Room or messages the Room on Team Chat.
Once the account hijacker gained access to the Zoom tenant, they would be able to use it to join or host meetings, view the organization’s contacts, and access the organization’s Whiteboards and Team Chat channels. With the ability to potentially sit in on confidential meetings, view collaborative company Whiteboards and read private conversations between employees, valuable information about business strategies, financial information and more could be leaked. AppOmni also discovered that the Room account could not be removed from any Team Chat channels by any administrator or the Owner.
“Following several conversations with the Zoom team, the vulnerability was validated and promptly remediated,” according to Cotter. “To mitigate this issue, Zoom removed the ability to activate Zoom Room accounts.”
A Zoom spokesperson told SC Media, "We have resolved this security issue. As always, we recommend users keep up to date with the latest version of Zoom to take advantage of Zoom's newest features and security updates."
$5,000 bug bounty claimed by ethical hackers
The white-hat hackers that discovered the bug received a $5,000 payout from Zoom’s bug bounty program, according to Cotter, who tweeted that Zoom rated the bug severity as “High” under its own Vulnerability Impact Scoring System (VISS). In addition to AppOmni, Ethical InfoSec Services (EIS) CEO Jayesh Madnani also contributed to the discovery of the bug.
Zoom has implemented a range of measures to improve its products’ security in the years since the COVID-19 lockdown that rocketed the company into the public spotlight. Back then, Zoom was heavily criticized due to a number of zero-day vulnerabilities and privacy problems plaguing the influx of new users.
As part of its efforts to boost security, it beefed up its bug bounty program and vulnerability disclosure efforts in 2020, working with HackerOne and Bugcrowd to help discover flaws. Zoom awarded $3.9 million in bounties in fiscal year 2023, and more than $7 million since the program began.
