Digital Forensics Dispatch

Digital Forensics Blog
by Sensei Enterprises, Inc.

Chat Messages on Zoom Can Expose Users to Cyber-Attacks

May 26, 2022

Deidre Olsen, of Infosecurity Magazine, recently published an article about new vulnerabilities on Zoom, the videoconferencing platform that became a predominant application for communication and connection during the beginning of COVID-19.

Olsen stated, “The vulnerabilities could be exploited to compromise users over chat by sending specifically crafted Extensible Messaging and Presence Protocol (XMPP) messages and executing malicious code.”

XMPP is the standard upon which Zoom’s chat feature is built. A cyber-attacker can act as a normal user by exploiting the vulnerabilities. For example, an attacker can connect to a suspicious server and download an update. This can result in random code execution originating from a downgrade attack.

Ivan Fratric, a member of the Project Zero Team at Google, discovered the Zoom vulnerabilities. He wrote, “Initial vulnerability (labeled XMPP Stanza Smuggling) abuses parsing inconsistencies between XML parsers on Zoom’s client and server in order to be able to ‘smuggle’ arbitrary XMPP stanzas to the victim client. From there, by sending a specially crafted control stanza, the attacker can force the victim client to connect to a malicious server, thus turning this primitive into a man-in-the-middle attack.”

The main issue with these vulnerabilities is the ability of a cyber-attacker to find inconsistencies between XML parsers in the software’s client and server. When this occurs, XMPP stanzas can be sent to the victim of the attack. This then lets the hackers abuse software updates, weaponize the process, and deliver an outdated and less secure version of Zoom to intended targets by using a malicious server.

David Mahdi, chief strategy officer and CISO advisor at Sectigo, chimed in about how important multi-factor authentication is. He stated, “Multi-factor authentication (MFA), when correctly deployed, can mitigate cyber-criminal attacks from using stolen credentials to access devices or networks in the case of a phishing attack. This approach is critical to any business, or individual consumers, as a means to decrease the chances of becoming victim to identity-first cyber-attacks.”

While all systems with Zoom are susceptible to these vulnerability attacks, Microsoft systems are the most prone to these attacks.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology