A bug hunter team revealed this week that they had discovered a Zoom flaw that could allow hackers to take over service accounts that belong to Zoom Rooms, a feature that enables video conferencing between different locations. The hackers could then access potentially sensitive information from the victim’s organization, such as team chat messages, whiteboards, and contacts. The flaw was fixed by Zoom before it was publicly disclosed, and there is no evidence that it was exploited by malicious actors.
The Zoom Rooms feature is designed to facilitate video meetings between teams that are in separate physical places, such as different offices or a mix of remote and in-person workers. Each Zoom Room represents a location, such as a conference room, and has a device that can join Zoom meetings on behalf of everyone in that location.
When a Zoom Room is created, it is automatically assigned an email address by Zoom, which follows a specific format: “rooms_@”. The account ID is a unique number that identifies the service account, and the domain name is the same as the email domain of the user who has the Owner role in the organization’s Zoom account. For example, if the Owner’s email is “owner@Corp.com” and the account ID is 12345, the Zoom Room email would be “rooms_12345@Corp.com.”
The bug hunters from AppOmni, a cloud security company, found that they could exploit this flaw by creating an email account with the same name as the Zoom Room email address, and then using it to sign up for Zoom. This would allow them to activate the service account and log in to the victim’s Zoom account. They explained how this was possible in a comment on X (formerly known as Twitter).
“Rooms operate as service accounts, they were never activated until we activated them. There was something weird in the backend that let the Room serve its purpose as a service account without activation, allowing us to sign up with it,” wrote Ciarán Cotter, an offensive security engineer at AppOmni, under his online handle monkehack.
The flaw mostly affected organizations that use email providers that are free and widely available, such as Outlook or Gmail. For example, if the Zoom Room email address is rooms_12345@gmail.com, anyone could easily create and access a Gmail account with this same name for free. The Zoom Room email address could be easily found by anyone who attended a meeting with the Room or messaged the Room on Team Chat.
Once the hackers gained access to the Zoom account, they could use it to join or host meetings, view the organization’s contacts, and access the organization’s Whiteboards and Team Chat channels. This could expose confidential information about the organization’s business strategies, financial data, and more. AppOmni also discovered that the service account could not be seen or removed by the Owner or other users in the organization, making it harder to detect and stop the attack.
The AppOmni team discovered the flaw at a hacking event sponsored by Zoom and HackerOne, a platform that connects ethical hackers with organizations that want to improve their security. The event, called H1-4420, took place on June 22, 2023. The team reported the flaw to Zoom, who fixed it before the team disclosed it to the public on August 10, 2023. Zoom also awarded the team a bug bounty for finding the flaw.
The flaw was not a real vulnerability, but a phishing scam that tried to trick Zoom users into installing a malicious plugin that gave attackers access to their site and server. Users should be careful not to click on any links in the phishing email, including the Unsubscribe link, or install the plugin on their site. Users should also check their site for any indicators of compromise, such as a wp-autoload.php file in the webroot, a plugin with a slug of wpress-security-wordpress, or a hidden administrative user with a username of wpsecuritypatch.
This Zoom flaw was ultimately a security issue that could allow hackers to hijack service accounts that belong to Zoom Rooms, a feature that enables video conferencing between different locations. The hackers could then access potentially sensitive information from the victim’s organization, such as team chat messages, whiteboards, and contacts. The flaw was fixed by Zoom before it was publicly disclosed, and there is no evidence that it was exploited by malicious actors.