Video học lập trình mỗi ngày

Hello everyone, while i was testing login system of zoom.us i noticed that when you sign-up with facebook , if your facebook account hasn’t have email address it’s asks you to enter a new email address.

Step 1

i thought it’s a good position for testing, so i start testing on this endpoint the first thing that i did was entering an existing email address account on Zoom to see what happens

Step 2

it sends an activation code to the email address

Step 3

so i checked the email address and got this message if you confirm this email address, you can Login with facebook to this account, so i clicked the confirm button and got this link

https://zoom.us/signin/term\_accept/verify\_email?code=**vAlA5Mtp_jPqfUUPMuWK…….**

Step 4

when i opened the link i got this page, if you click on the Activate now button the facebook account will be connected with this email

but when i saw the param code in the link I was shocked😲!!

The param code (Step 4[image]) has the same value of the param code (Step 2[image])

it means it doesn’t need to check the email address to get the confirmation code an attacker can active any account to connect it with facebook account by using The value param code in the below link

https://zoom.us/signin/term\_accept/one\_more?code=XXX (Step 2 [image])

and use it for the param code activation email link :

https://zoom.us/signin/term\_accept/verify\_email?code=__XXX (Step 4 [image])

Watch this video and see how an attacker has able to hack any account users just by knowing their email, even if you already linked your account with a facebook account zoom automatically unlink it and link it with the attacker facebook account

After that i got an idea i thought there is lots of companies that has account on Zoom and they use their business email to create account like support@companyname.com

so if an attacker create an account with email address attacker@companyname.com and verify it with this bug

the attacker can view all emails that created with *@companyname.com in Zoom app in Company contacts so that means the attacker can hack all accounts of the company

Impact

an attacker has able to:

1- join meeting any user
2- read chats,videos,photos,files any user
3- read all email address of any company

and do much more……

Timeline:

2020/03/30: found and without take report it to zoom security team.

2020/04/1: the bug fixed and award me with $3k bounty + swag.

Follow me on twitter @sec_krd

Notice:

I have tested it only on my accounts and All users are safe, if you think zoom is not secure enough you are wrong because no websites are secure 100% if white-hat hackers doesn’t help them and there are lots of white-hat hackers trying to improve zoom security.

Bài viết gốc: Medium.com