Zoom has confirmed that it has fixed a vulnerability in one of its features that allowed threat actors to steal sensitive data from users.
This is what cybersecurity researchers say AppOmniwho discovered the vulnerability, detailed it, and reported it to the videoconferencing company for repair.
The exploit could have allowed hackers to hijack meetings and steal information.
Collect important data
In a detailed report, researchers say they discovered a flaw in Zoom Rooms in June 2023.
Zoom Rooms is a system that allows team members in different physical locations to collaborate via Zoom. The user installed the app on an endpoint that would serve as a terminal for the people in the room.
When a Zoom Room is created, Zoom creates a service account with licenses for Meetings and Whiteboards.
And that’s where the problem lies. Zoom automatically assigns an email address to the room service account. The address format is rooms_@companycomin.com. For example, if a user has an Outlook address, Zoom creates one in the format room_@outlook.com.
Since anyone can create an Outlook address, it’s easy to create a valid email inbox for a Zoom Room. Using that email, the researchers logged into Zoom and received an activation link in the inbox. Once activated, Zoom logged researchers into the victims’ Zoom tenant as a service account.
The service account is considered a team member, allowing the researchers to collect information about the tenant laterally. Because Zoom Rooms starts with two licenses, it gives researchers visibility into all users in the organizations, allowing them to hijack meetings as if they were the hosts, view all whiteboards, and more.
The only requirement to successfully carry out the attack is to know the email address, which, considering the number of stolen emails per day, is not much of a problem. Malicious insiders can also accomplish this by simply being in the same Zoom Room.
After disclosing the findings to Zoom, the company immediately released a fix by removing the ability to create Zoom Room accounts.