Zoom fixes significant security flaw that could have allowed hackers to hijack your meetings

News
By published

Researchers found a way to abuse Zoom Rooms

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

Zoom has confirmed it fixed a vulnerability in one of its features which allowed threat actors to steal sensitive data from users.

This is according to cybersecurity researchers from AppOmni, which discovered the vulnerability, detailed it, and reported it to the video conferencing company for fixing.

The exploit could have allowed hackers to hijack meetings and steal information.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Harvesting important data

In a detailed report  the researchers said that they discovered a flaw in Zoom Rooms in June 2023. 

Zoom Rooms is a system that allows team members in different physical locations to work together over Zoom. The user would install the app on an endpoint which would serve as a terminal for the people in the room. 

When a Zoom Room is created, Zoom creates a service account with licenses for Meetings and Whiteboards.

And that’s where the problem lies. Zoom automatically assigns an email address to the Room service account. The format of the address is rooms_<account ID>@companycomain.com. So, for example, if a user has an Outlook address, Zoom would create one in the format of room_<account ID>@outlook.com.

Since everyone can create an Outlook address, it’s easy to create a valid email inbox for a Zoom Room. Using that email, the researchers signed up to Zoom, and got an activation link in the inbox. Upon activation, Zoom logged the researchers into the victims’ Zoom tenant as the service account. 

The service account is considered a team member, allowing the researchers to gather information laterally across the tenant. As Zoom Rooms starts with two licenses, it gives the researchers a view of all users in the organizations, allows them to hijack meetings as if they were the hosts, view all whiteboards, and more.

The only prerequisite to successfully pulling off the attack is knowing the email address which, considering the amount of stolen emails every day, isn’t that big of a challenge. Malicious insiders can also pull it off by simply being in the same Zoom Room.

After disclosing the findings to Zoom, the company promptly issued a fix, by removing the ability to create Zoom Room accounts.

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
the YouTube logo on a screen in front of other YouTube logos covering a black background
Worrying YouTube security flaw exposed billions of user emails
Webex by Cisco banner on a Chromebook
Cisco warns some Webex users of worrying security flaw, so patch now
Password
Millions of airline customers possibly affected by OAuth security flaw
Shadowed hands on a digital background reaching for a login prompt.
A flaw in Google OAuth system is exposing millions of users via abandoned accounts
Location Data
Cloudflare CDN flaw could expose user location simply by sending an image
A person at a laptop with a cybersecure lock symbol floating above it.
A worrying security flaw could have left Microsoft SharePoint users open to attack
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
More about security
Money

Financial leaders still rely on regular tools like Excel for automation tasks over AI
Half man, half AI.

Generative AI has a long way to go as siloed data and abuse of its capacity remain a downside – but it does change the game for security teams
HAMR

Seagate reportedly sold two billion GBs worth of storage to two of the world's largest tech companies
See more latest
Most Popular
HAMR
Seagate reportedly sold two billion GBs worth of storage to two of the world's largest tech companies
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
Oracle
Bluehost owner is moving to Oracle Cloud, so could thousands of websites be about to migrate?
Money
Financial leaders still rely on regular tools like Excel for automation tasks over AI
Two examples of the Asus Fragrance Mouse MD101 sitting on a table
Your next computer mouse could have a fragrance compartment for aromatherapy oils – and this Asus idea is nothing to sniff at
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
Eizo FlexScan FLT
Behold the world's most power-efficient monitor — the EIZO FlexScan FLT