Summary

When testing for vulnerabilities in Zoom’s new Zoom Mail and Calendar feature, we identified a vulnerability that allowed us to claim a “system” email belonging to Zoom. Claiming this email allowed us to act like Man-In-The-Middle and intercept all incoming & outgoing emails. The information included meeting URLs with meeting passwords and the attendees’ email addresses.

Description

Zoom released a new feature called Zoom Mail and Calendar. This is similar to Gmail, Yahoo Mail, Outlook and all other email services. A Zoom One Pro user can register for one @zmail.com email address in their profile page. When investigating the inner workings of the email features, we identified the vulnerability in its validation.

About zmail.com

zmail.com is the root domain used in Zoom Mail. When investigating, we noticed that zmail.com had its own MX record set. This MX record did not point to GSuite, Outlook or other email services.

For a properly setup @zmail.com, all meeting invites get added to its Zoom Calendar. In addition, it seemed that Zoom properly correlates a @zmail.com email address to the assigned user to make sure no one else was hijacking such meeting invites.

zmail.com and domain validations

Next, we wanted to see if we could link an existing non @zmail.com email address of another user into our account. Theoretically, this would allow us access to all meeting invites sent to the user. This was our plan:

• zoom-test@ophion.email is a registered account in Zoom
• With a potential vulnerability we would try to claim zoom-test@ophion.email in our ZMail settings from an attacker account.
• If the vulnerability existed, meeting invites sent to zoom-test@ophion.email would land in our attacker account instead of zoom-test@ophion.email user account.

When we attempted to claim zoom-test@ophion.email we got an error.

This error was interesting because it did not indicate that there was an enforcement where only @zmail.com domain had to be used. Instead, it highlighted that there was some internal micro-service that failed to validate some validity of ophion.email to the Zoom Mail feature. We then attempted to validate root domain and subdomains of zoom.us. Most of them did not work but we were able to create a ZMail account for random-email@asynccomm.zoom.us. While other subdomains failed, it seemed that asynccomm.zoom.us had worked. Looking through similarity between @zmail.com and @asynccomm.zoom.us we noticed that it shared the same mail service:

Our theory then was that any domain that pointed to that specific mail service will be allowed. We found couple more domains and confirmed the theory:

• zoomone.com
• zmail.com
• zmmail.us
• scheduler.zoom.us

However, so far we could only claim emails with a domain other than zmail.com. While this may be a vulnerability, it was not yet impactful. Our first test attempt to claim zoom-tester@ophion.email would also not work because we could not control mail services set by Zoom’s users.

Getting the Exploit

After finding domains that we could claim within ZMail, we started by checking what kind of email addresses we could register and receive emails as. For example, we noticed we could registered “root” email addresses for domains such as zoomone.com. This allowed us to claim emails like postmaster@ however it still had not given us a crazy impact to prove the severity of this vulnerability. We then started looking for active emails used by Zoom that belonged to one of the domains.

no-reply@asynccomm.zoom.us

One of the first email we noticed was no-reply@asynccomm.zoom.us used by Zoom to send welcome email to new ZMail users. Theoretically, claiming this email address could disclose all ZMail email addresses to us. While this would not disclose anything sensitive, it would still be a valid vulnerability. However, claiming no-reply@asynccomm.zoom.us failed. For this particular email, we got User email already exists error.

Maybe Zoom was actually using this email or someone had already claimed it? We then looked for more email addresses.

scheduler-noreply@asynccomm.zoom.us

When testing for all features linked to Zoom Mail, we noticed the Zoom Scheduler feature. This is a Calendly like feature where users can publish their available times that other users can book meeting invites to.

When a meeting is booked by a user, an email is sent to the linked ZMail account or the primary calendar confirming the meeting. This email would originate from scheduler-noreply@asynccomm.zoom.us . We attempted to claim this email address in our ZMail account and to our surprise it worked:

Soon after, in our ZMail clients we had access to all meeting invites sent by the scheduler-noreply@asynccomm.zoom.us. The disclosed information included:

• Zoom Meeting URL.
• Email of the user who scheduled the meeting.
• Email of the user who had the meeting.

Report Timeline

• April 07, 2023 - Vulnerability reported to Zoom.
• April 11, 2023 - Vulnerability confirmed by Zoom.
• April 12, 2023 - We internally confirmed that the vulnerability was patched. Any ZMail accounts not using @zmail.com had session tokens revoked and could not be used after.

We want to thank Zoom team for working with us in this blog post and for a fast security patch for the vulnerability.