Flaw was found in the video conferencing software’s web application
A critical vulnerability in Zoom’s sign up flow could allow an attacker to execute a cross-site scripting (XSS) attack.
Zoom’s web platform Zoom.us failed to sanitize the name of the user on the federated signup flow, an advisory reads.
In order to exploit the vulnerability, the victim first needs to click on a malicious link, which could be sent via a phishing email.
The advisory reads: “The attacker needs to convince a victim to visit a malicious link, then the exploit can log the victim back in as the real user, and gain access to the victim's Zoom.us account.
“This could allow an attacker to do anything the victim can do through the website.”
The bug, which has since been patched, was classed as high severity.
Researchers explained that this kind of attack would usually be prevented by a cross-site request forgery (CSRF) token in the state parameter of the OAuth (authentication) web flow.
Read more of the latest cybersecurity vulnerability news
Zoom.us did not contain any unpredictable tokens, and so the attack was relatively easy to perform.
Aside from clicking the link, no user interaction was required for the XSS to trigger, unless the victim was not an active Zoom user. In the latter case, they would have to perform an age check beforehand.
A proof of concept and more details about the vulnerability can be found here.
The bug has been patched in Zoom versions 2020.07.07 and above.
A Zoom spokesperson told The Daily Swig: “This issue has been addressed, and no action is required by users. Zoom appreciates vulnerability reports from researchers. If you think you’ve found a security issue with Zoom products, please send a detailed report to firstname.lastname@example.org.”
This article has been updated to include comment from Zoom.