Claiming Zoom Rooms Service Accounts to Gain Access to Zoom Tenants

,

Disclaimer

This vulnerability was discovered as part of H1-4420, a HackerOne live hacking event of which Zoom was a participating company. This issue was fixed promptly by the Zoom team, and no production tenants were affected in any way.


In June 2023, a vulnerability in Zoom Rooms was discovered. This vulnerability had the potential to allow an attacker to claim a Zoom Room’s service account and gain access to the victim’s organization’s tenant. As a service account, an attacker would have invisible access to confidential information in Team Chat, Whiteboards, and other Zoom applications.

What are Zoom Rooms?

Zoom Rooms is a system developed by Zoom to allow team members in different physical locations to work together over Zoom. To set it up, the Zoom Rooms application is installed on a piece of hardware, such as an iPad. This device acts as a terminal for the people in the room, and “attends” the meeting on behalf of everyone there. To facilitate this, when a Zoom Room is created within the Zoom platform, a service account is created automatically with licenses for Meetings and Whiteboards.

How Service Accounts Could Have Been Misused

Predicting Email Addresses

A Room service account is automatically assigned an email address by Zoom themselves. This is generated in the format rooms_<account ID>@companydomain.com. In this case, the account ID is the user ID value of the service account. The email domain is directly inherited from the user with the Owner role in the tenant at the time of creation – if the Owner has the email address owner@example.com, then the service account will be room_<account ID>@example.com. While there are several ways to leak the account ID within Zoom, simply being in the same meeting as the Room and messaging the Room on Team Chat would disclose the Room’s entire email address.

Claiming Accounts

The problem with this approach for email generation is that this also applies to email domains of large email providers. For example, if the owner is using an outlook.com email address, the Room’s email address will be room__<account ID>@outlook.com. Since anyone can create an arbitrary Outlook email address, we can create a valid email inbox for a Zoom Room!

Next, we followed the Zoom sign-up flow using the Zoom Room’s email address. This caused an email activation link to be sent to the Zoom Rooms email address. However, as we now controlled this email inbox, we could click on this link and activate the account. Upon activation, Zoom’s backend automatically logged us into the organization’s Zoom tenant as the service account. Given that a service account is treated as a team member, we could now gather information laterally across the tenant.

Zoom Rooms, as service accounts with at least two licenses, had considerable access within the tenant as they were effectively treated as normal team members. They could view all users in the organization using the Contacts feature, hijack the meeting itself if they were the host, view all organization-wide whiteboards, and more.

We noted interesting behavior in the Team Chat feature. Zoom provides a feature called Channels, which as the name implies, is a system of text channels. Channels are open to tenant employees by default. Room users were able to view the contents of any channel, including confidential information and persist in this access completely invisibly. Room users could not be removed from the channel by any administrator – even the Owner.

Following several conversations with the Zoom team, the vulnerability was validated and promptly remediated. To mitigate this issue, Zoom removed the ability to activate Zoom Room accounts.

Conclusion

This finding demonstrated how service accounts could be misused to gain unauthorized access. SaaS systems are composed of many moving parts and managing the security of each part is a difficult task. While the scope of this finding was relatively limited, service accounts are often used by third-party apps as a means of retrieving data from SaaS applications. As one of the connecting points between the SaaS platform and the external internet, ensuring that such applications and service accounts are secured properly is crucial in maintaining a robust SaaS security posture.

SaaS Breach Info Center | AppOmni

SaaS Breach Info Center

As SaaS adoption continues to explode, the risk for breaches that threaten business operations and the security of highly sensitive data escalates. Learn how — and how often — SaaS data breaches occur.

Related Resources