Technical Analysis of "Zoom Account Takeover via IDOR"

Overview: Nokline’s blog post discusses a critical Account Takeover (ATO) vulnerability in the Zoom platform, achieved through the exploitation of an Insecure Direct Object Reference (IDOR) flaw. This attack allows unauthorized access to user accounts and sensitive information without proper authentication checks.

Key Technical Details:

  1. Understanding IDOR:
  2. IDOR, or Insecure Direct Object References, happens when an application provides direct access to objects based on user-supplied input without proper access control checks.

  3. Attackers can manipulate references (e.g., user IDs) in the request parameters to gain unauthorized access to data.

  4. Initial Discovery:

  5. The researcher identified an endpoint on Zoom’s platform that allowed access to account-related information.

  6. They noticed that the endpoint could be accessed by manipulating the user_id parameter, which was probed by changing its value manually.

  7. Endpoint Information:

  8. An endpoint, say api.zoom.us/v2/users/[user_id], was accessible by authenticated users.
  9. By intercepting traffic (e.g., using tools like Burp Suite), the researcher could change the user_id parameter to another user’s ID and gain access to that account’s data.

  10. This endpoint provided sensitive information which should only be accessible by authenticated and authorized users, thus demonstrating the IDOR vulnerability.

  11. Exploitation Steps:

  12. Step 1: Authentication - The attacker needed to be an authenticated user; however, they did not need elevated privileges.
  13. Step 2: Intercepting Request - By using an intercepting proxy, the attacker captured the request to the vulnerable endpoint.
  14. Step 3: Modifying user_id - The attacker modified the value of the user_id parameter to that of the target user.

  15. Step 4: Access Gained - Upon modifying and forwarding the request, the attacker was granted access to another user's account information.

  16. Potential Impact:

  17. Unauthorized access to sensitive user information, including PII (Personally Identifiable Information) such as email addresses and profile details.

  18. Possibility of further exploitation, such as changing account settings or accessing meeting recordings/files.

  19. Mitigation:

  20. Proper Access Control: All endpoints should perform rigorous checks to ensure the user making the request is authorized to access the requested object.
  21. Object References: Instead of direct object references (like user IDs), use indirect references or other mechanisms that do not expose object IDs to end-users.
  22. Logging and Monitoring: Implement logging and monitoring to detect unusual access patterns that could indicate an IDOR attack.

  23. Regular Penetration Testing: Conduct thorough penetration testing to identify and remediate IDOR vulnerabilities before deployment.

  24. Reporting and Resolution:

  25. The bug was reported to Zoom, who acknowledged the issue and rewarded the researcher for the discovery.
  26. Zoom patched the vulnerability by implementing consistent access control checks across their endpoints, ensuring that user object IDs cannot be manipulated by unauthorized users.

Key Takeaways:

Conclusion:

This case study of Zoom highlights the significant risks posed by IDOR vulnerabilities and underscores the importance of robust access control mechanisms. Through diligent testing and prompt response, such vulnerabilities can be identified and mitigated, ensuring the protection of user data and the integrity of the platform.

For full details, check the original blog post here.