Contents

  1. history

5.3.5 Zoom

We found that Zoom was vulnerable to the Classic-Federated Merge and Non-verifying IdP Attacks.

Classic-Federated Merge Attack.

Although free Zoom accounts require email verification before the account is cre-
ated, this restriction was not present for paid accounts.

This enables an attacker to abuse the paid account creation pro-
cess to create an account using the victim’s email address
and perform the Classic-Federated Merge Attack. 

The UI of Zoom when the victim tried to create their account in the
Victim action phase of this attack is shown in Figure 5. 
As evident from the figure, the victim would believe they were
creating a fresh account, instead of being signed in to the attacker-created account.

Non-verifying IdP Attack.

Since Zoom supports custom
IdPs, the attacker could use a non-verifying IdP to create
a Zoom account with the victim’s email address. For our
experiments, we used OneLogin’s IdP service [30]. When
the victim subsequently came to create a Zoom account with
the same email address, Zoom did not notify the victim of
the existence of an account with the same email address and
instead signed the victim in to the attacker-created account.
Being able to login to the victim’s Zoom account would
enable the attacker to record the meetings attended by the
victim, access the participant details (e.g., attendee names and
email addresses) of any meetings hosted by the victim, access
the sensitive chat history, impersonate the victim in Zoom
chat, and sign in to other services where the victim uses Zoom
as an IdP. When we responsibly disclosed these attacks to
Zoom in August 2020 and March 2021, they assessed both
reports as high severity and fixed the vulnerabilities.

1. history


CategoryDns CategoryWatch CategoryTemplate

MoinQ: なりすまし/account_pre-hijacking/5/5.3.5 (last edited 2022-05-31 06:48:45 by ToshinoriMaeno)