Just a Message in Zoom App can Hijack your Account

Zoom Flaws Could Let Attackers Hack Accounts Just by Sending a Message.

Hack Zoom Meeting
Google recommends that Zoom users update their application clients to version 5.10.0 to apply fixes for several vulnerabilities discovered by Google Project Zero security researcher Ivan Fratric.

“For a successful attack, you don’t even need to interact directly with the user. An attacker simply needs to be able to send messages to the victim via the XMPP protocol in Zoom chat, ” Fratric said in detailing the vulnerability chain.

By examining differences in XMPP message parsing between the Zoom server and clients, Fratric was able to uncover a chain of vulnerabilities that allowed attackers to remotely execute malicious code. Deciding to recreate the attack, the researcher sent a specially crafted message, used a man-in-the-middle attack, and then was able to connect the “victim” to his server, which provides an old version of the Zoom client from mid-2019.

"The installer for this version is still properly signed, but does not perform any security checks on the installation cab file," Fratric added. "To demonstrate how the attack works, I replaced Zoom.exe in the cab file with a binary file that opened the standard Windows calculator, and immediately after installing the "update" I saw the calculator running."

In a security bulletin published last week, Zoom said a researcher had also found a vulnerability that could allow user session cookies to be sent to a non-company domain. This vulnerability allowed attackers to carry out spoofing attacks.

There are four vulnerabilities that Zoom has fixed since Fratric's report:

CVE ID Title Severity
CVE-2022-22784 Improper XML Parsing in Zoom Client for Meetings High
CVE-2022-22785 Improperly constrained session cookies in Zoom Client for Meetings Medium
CVE-2022-22786 Update package downgrade in Zoom Client for Meetings for Windows High
CVE-2022-22787 Insufficient hostname validation during server switch
in Zoom Client for Meetings
High

Three other vulnerabilities affect Android, iOS, Linux, macOS, and Windows.

A Google Project Zero researcher discovered the vulnerabilities in February, Zoom fixed them on the server-side that same month, and released updated clients on April 24.

Read Also
Post a Comment
Table of Contents

Loading…