Contents
5.3.5 Zoom
We found that Zoom was vulnerable to the Classic-Federated Merge and Non-verifying IdP Attacks.
Classic-Federated Merge Attack.
Although free Zoom accounts require email verification before the account is cre- ated, this restriction was not present for paid accounts. This enables an attacker to abuse the paid account creation pro- cess to create an account using the victim’s email address and perform the Classic-Federated Merge Attack. The UI of Zoom when the victim tried to create their account in the Victim action phase of this attack is shown in Figure 5. As evident from the figure, the victim would believe they were creating a fresh account, instead of being signed in to the attacker-created account.
Non-verifying IdP Attack.
Since Zoom supports custom IdPs, the attacker could use a non-verifying IdP to create a Zoom account with the victim’s email address. For our experiments, we used OneLogin’s IdP service [30]. When the victim subsequently came to create a Zoom account with the same email address, Zoom did not notify the victim of the existence of an account with the same email address and instead signed the victim in to the attacker-created account. Being able to login to the victim’s Zoom account would enable the attacker to record the meetings attended by the victim, access the participant details (e.g., attendee names and email addresses) of any meetings hosted by the victim, access the sensitive chat history, impersonate the victim in Zoom chat, and sign in to other services where the victim uses Zoom as an IdP. When we responsibly disclosed these attacks to Zoom in August 2020 and March 2021, they assessed both reports as high severity and fixed the vulnerabilities.