Zoom Rooms’ potential threat of meeting hijack gets fixed

Zoom, the popular video conferencing platform, recently faced a significant security threat that could have potentially exposed users to data breaches and unauthorized access. Cybersecurity researchers from AppOmni discovered a vulnerability in Zoom Rooms, a feature designed to facilitate collaboration among team members in different physical locations.

The flaw, identified in June 2023, revolved around the way Zoom Rooms created service accounts for meetings and whiteboards. When a Zoom Room is initiated, the platform automatically generates a service account associated with the user’s email.

The issue arose because Zoom follows a predictable pattern in assigning email addresses to these service accounts, typically in the format of rooms_@companycomain.com. For instance, if a user had a Gmail address, Zoom would create a corresponding email like rooms_@gmail.com.

Researchers exploited the predictability of the assigned email address

Exploiting this pattern, researchers were able to create a valid email inbox for a Zoom Room. They signed up for Zoom and received an activation link in the inbox. Upon activation, Zoom inadvertently logged the researchers into the victim’s Zoom tenant as the service account. This granted the researchers the status of a team member, allowing lateral movement across the tenant.

As Zoom Rooms usually start with two licenses, the exploit provided the researchers with visibility into all users within an organization. They could potentially hijack meetings as hosts, access all whiteboards, and gather sensitive information, posing a severe security risk.

The only requirement for executing this attack was knowledge of the victim’s email address. Given the prevalence of email breaches, this information is relatively accessible. Additionally, TechRadar reports that malicious insiders within the same Zoom Room could also exploit the vulnerability, raising concerns about the potential for unauthorized access and data theft.

Zoom acted promptly to resolve the security threat

AppOmni promptly reported their findings to Zoom, leading the video conferencing company to take immediate action. In response, Zoom swiftly issued a fix, eliminating the ability to create Zoom Room accounts.

In summary, the collaborative efforts of cybersecurity researchers and the swift response of Zoom have prevented a potential security threat.