Zoom fixes significant security flaw that could have allowed hackers to hijack your meetings
Zoom has confirmed it fixed a vulnerability in one of its features which allowed threat actors to steal sensitive data from users.
This is according to cybersecurity researchers from AppOmni, which discovered the vulnerability, detailed it, and reported it to the video conferencing company for fixing.
The exploit could have allowed hackers to hijack meetings and steal information.
Harvesting important data
In a detailed report the researchers said that they discovered a flaw in Zoom Rooms in June 2023.
Zoom Rooms is a system that allows team members in different physical locations to work together over Zoom. The user would install the app on an endpoint which would serve as a terminal for the people in the room.
When a Zoom Room is created, Zoom creates a service account with licenses for Meetings and Whiteboards.
And that’s where the problem lies. Zoom automatically assigns an email address to the Room service account. The format of the address is rooms_<account ID>@companycomain.com. So, for example, if a user has an Outlook address, Zoom would create one in the format of room_<account ID>@outlook.com.
Since everyone can create an Outlook address, it’s easy to create a valid email inbox for a Zoom Room. Using that email, the researchers signed up to Zoom, and got an activation link in the inbox. Upon activation, Zoom logged the researchers into the victims’ Zoom tenant as the service account.
The service account is considered a team member, allowing the researchers to gather information laterally across the tenant. As Zoom Rooms starts with two licenses, it gives the researchers a view of all users in the organizations, allows them to hijack meetings as if they were the hosts, view all whiteboards, and more.
The only prerequisite to successfully pulling off the attack is knowing the email address which, considering the amount of stolen emails every day, isn’t that big of a challenge. Malicious insiders can also pull it off by simply being in the same Zoom Room.
After disclosing the findings to Zoom, the company promptly issued a fix, by removing the ability to create Zoom Room accounts.
More from TechRadar Pro
Zoom has confirmed it fixed a vulnerability in one of its features which allowed threat actors to steal sensitive data from users. This is according to cybersecurity researchers from AppOmni, which discovered the vulnerability, detailed it, and reported it to the video conferencing company for fixing. The exploit could have…
Recent Posts
- Birdfy’s solar-powered smart feeder is down to one of its best prices
- Are OLED TVs still worth the premium in 2026?
- The Clapper was a bad smart home gadget — and a viral sensation
- Which DJI camera should I buy? Here’s our essential guide to your options, including the results of our in-depth testing
- The future of physical games is not looking great
Archives
- July 2026
- June 2026
- May 2026
- April 2026
- March 2026
- February 2026
- January 2026
- December 2025
- November 2025
- October 2025
- September 2025
- August 2025
- July 2025
- June 2025
- May 2025
- April 2025
- March 2025
- February 2025
- January 2025
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023