Generate a random Meeting ID for scheduled meetings. Your Personal Meeting ID is very useful for instant meetings and when people want to contact you one-on-one but should not be used for scheduled meetings. If you would like to invite the public to join your meeting, it is better to have them register to join (see below).ĭon’t use your Personal Meeting ID for scheduled meetings To prevent unwelcome visitors from joining your meeting, it is important to protect your meeting URL and ensure that only legitimate participants have access to it. Never post your meeting URL or password in a public forum
Locate the Zoom Mobile Apps and select download for the type of device.
The Zoom desktop application will then be logged in and you may commence using the application. Enter your MacID followed by Press Next. Enter the comapny or domain as “McMaster”, then Continue. At the log in screen, Select “Sign in with SSO”. The site will automatically detect your operating system and download the proper version. Locate the Zoom client for Meeting and select download. The proof of concept provided to Zoom used provided a screenshot with a legacy GMail account. To put a payload in a Google account name an attacker can use a service account, a premium GSuite account through an API, or a legacy GMail account. If the victim was not an active Zoom user, then the victim had to pass the "age check" before the XSS could trigger. If the victim was an active user, then the attack required no user interaction. Usually an attack like this would be prevented by a CSRF token in the state parameter of the OAuth web flow, but did not contain any unpredictable tokens, so exploitation was straightforward. The last URL in step (3) could then be sent to unsuspecting victims, which would then trigger the XSS. Visit the following URL while being logged-in with the attacker's account (the attacker's account needs to have the xss payload on its name):. In order to construct such a URL, the attacker had to: The victim had to visit a URL of the form. This could allow an attacker to do anything the victim can do through the website. 
The attacker needs to convince a victim to visit a malicious link, then the exploit can log the victim back in as the real user, and gain access to the victim's account. SeverityĬalculated as High by Google ( source).
This allowed an attacker to execute arbitrary JavaScript on a victim's browser in the context of when opening a malicious link. did not sanitize the name of the user on the federated signup flow.
0 kommentar(er)
