In security, we always say and strictly believe “Basics are the Hardest Part to Conquer”. That’s the true fact.
With recent challenges, the usage of video-conferencing technologies has increased exponentially. Zoom is being discussed a lot of these for the same.
With the advancements of new technologies and increasing usage, it becomes essential to analyze the security posture for the service providers including infrastructure and applications.
This post is all about making the most important point — “Basics Should be Implemented Efficiently and Securely”. The developer should learn about this and implement. It’s not about coding always but “Secure Coding”. How about the security QA engineers in this case ? They should adhere to the basics and test for the functionalities explicitly by understanding the threat models.
A quick 1 minute check on Zoom website resulted in the outcome as presented in Figure 1. The email routine failed to validate the payload (string) sent as an email. Any string that can be passed with value as quoted “ ” appended with “@” is teated as valid email. That’s it. No additional tests were conducted to go for exploitation and so on. The point has been made very clear.
Simple validations can be performed as:
Note: The issue has been reported to the Zoom Security. As researchers, we do our part and now the responsibility is on the vendor.
Basics Matter !