YouTube player

Security researchers revealed a vulnerability in Zoom that allowed the unauthorized access of service accounts with potential access to confidential information.

The flaw, primarily affecting Zoom tenants using email addresses from major providers like Outlook and Gmail, was initially found at a bug bounty event in June and promptly patched by Zoom before public disclosure. The vulnerability enabled hackers to claim a Zoom Room’s service account, gaining invisible access to Team Chat, Whiteboards, and other applications.

Zoom Rooms, designed for video conferencing between teams in different locations, represented potential targets for exploitation. The vulnerability arose from the creation of a Zoom Room service account, automatically assigned an email address. If a hacker could create an email account with an identical name, they could sign up for Zoom, activate the account, and log in to the victim’s Zoom tenant. This could potentially leak confidential information, as the compromised account would have access to meetings, contacts, Whiteboards, and Team Chat channels.

The Zoom team validated and promptly remediated the vulnerability, removing the ability to activate Zoom Room accounts. The security reseacher who discovered the bug received a $5,000 payout from Zoom’s bug bounty program.

This segment was created for the It’s 5:05 podcast