How I Hacked Zoom? The Session Takeover Exploit Chain Analysis

How i Hacked Zoom
How i Hacked Zoom

This article explores a recently discovered exploit chain that allows attackers to take over Zoom sessions. The exploit leverages vulnerabilities in Zoom’s cookie handling and OAuth implementation.

The attack begins with an XSS vulnerability that enables attackers to inject malicious code into a Zoom user’s session. This code can then be used to steal the user’s cookies, which contain information about the user’s identity and session state, research by Harel Security.

Cookies Stolen

With the stolen cookies, attackers can then employ a technique known as cookie tossing to impersonate the legitimate user. Cookie tossing involves sending the stolen cookies to a different server in an attempt to trick that server into believing that the attacker is the legitimate user.

zoom_xss_graphics
zoom_xss_graphics

OAuth Dirty Dancing Vulnerability

Once the attacker has successfully impersonated the user, they can exploit an OAuth vulnerability known as OAuth Dirty Dancing. OAuth is an authorization framework that allows users to grant third-party applications access to their accounts. OAuth Dirty Dancing is a vulnerability that can be exploited to bypass OAuth security measures and grant unauthorized access to a user’s account.

In the context of this exploit chain, the attacker can use OAuth Dirty Dancing to gain access to the victim’s Zoom account. This access allows the attacker to hijack the victim’s browser permissions and turn on their camera and microphone, effectively taking over the Zoom session.

Check camera Permission

This exploit chain highlights the importance of security awareness and best practices for both Zoom users and developers. Zoom users should be cautious about clicking on links or opening attachments from untrusted sources. Additionally, users should enable two-factor authentication to add an extra layer of security to their accounts.

Receive Bounty?

Yes, this vulnerability found by Sudi, BrunoZero and H4R3L.

And reported the vulnerability to Zoom security via their bug bounty program on 10/02/23, and were rewarded with a $15k bounty. The vulnerability fully patched by Zoom security team.

Zoom developers should carefully review their code to identify and patch any potential XSS or OAuth vulnerabilities. Additionally, Zoom should implement stricter validation checks on incoming cookies to help prevent cookie tossing attacks.

Join Our Club

Enter your Email address to receive notifications | Join over Million Followers

Previous Article
Python code library

AI Development at Risk: Critical Vulnerability Discovered in Popular Python Library

Next Article
Twilio Data Breach

Millions of Twilio Authy Users Potentially Exposed in Data Breach.

Related Posts
Total
0
Share