CVE CyberSecurity Database News

CVE-2023-36535 - How a Zoom Security Flaw Could Leak Sensitive Information (With Exploit Example)

Poster -

In late 2023, security researchers uncovered a critical vulnerability in Zoom clients—tracked as CVE-2023-36535—that allowed attackers to bypass certain server-side checks through weak client-side enforcement. In simple terms, Zoom relied too much on its app to enforce rules intended to protect information, leaving a loophole where attackers with access could trigger information leaks over the network. The issue affects Zoom clients before version 5.14.10.

This post breaks down, step by step, what CVE-2023-36535 is, how it works, and provides a simplified exploit example. We’ll also share direct links to official references and show why this vulnerability highlights the risks of relying on client-side checks for security.

1. What Is CVE-2023-36535?

CVE-2023-36535 is a security vulnerability found in Zoom’s client software. It happens because the Zoom app itself is responsible for enforcing certain confidential settings, instead of having the server take charge. If someone logs in as an authenticated user (basically, someone with any valid account), they can tweak Zoom’s client-side code (with a proxy, custom code, or similar) to bypass restrictions and pull information they shouldn’t see.

Affects: Zoom clients before 5.14.10 (Windows, Mac, Linux)

- Threat: Authenticated users can extract restricted information via direct network access or by modifying the client’s behavior
- Impact: Information disclosure (sensitive meeting data, user info, or more, depending on exposed functionality)

Server-side security means checks happen on Zoom’s servers (in their data centers).

Best practice: All crucial security enforcement should ALWAYS be on the server.

The problem in Zoom: Some restrictions (like "don’t show X info to Y user") were only checked by the app, not enforced by the server. By tampering with the app or network requests, a determined user could view information they shouldn’t.

3. How Could Attackers Exploit It?

Attackers with a regular Zoom account could intercept and modify network requests sent by the client app. Tools like Burp Suite or Fiddler let you act as a "middle-man" to see what the app sends and receives. By tweaking requests, you could ask for extra info. Because the server didn’t double-check, the server trusted what the client said.

Example Attack Scenario

Let’s say there is a confidential setting ("Do not show host’s email") set by the meeting owner. The Zoom client is supposed to block users from viewing this email—but the server would still include this info if the app directly requested it.

Join a Meeting and capture the network traffic.

4. Find Sensitive Endpoints, such as /getMeetingDetails or similar.
5. Modify or Replay Requests, changing parameters or adding ones not normally allowed by the client.
6. Receive Extended Data: The server, trusting the client, returns more information than should be allowed.

4. Exploit Example (For Educational Purposes Only)

Below is a Python code snippet demonstrating a simplified, conceptual example. This is sanitized for educational use only.

Assuming the Zoom API responds to authenticated requests and the server lacks proper authorization checks:

import requests

ZOOM_API_URL = "https://api.zoom.us/v2/meetings/{meeting_id}";
ACCESS_TOKEN = "YOUR_JWT_OR_OAUTH_TOKEN_HERE"
MEETING_ID = "123456789"

headers = {
    "Authorization": f"Bearer {ACCESS_TOKEN}",
    "Content-Type": "application/json"
}

# Try to fetch sensitive information
response = requests.get(
    ZOOM_API_URL.format(meeting_id=MEETING_ID),
    headers=headers
)

if response.status_code == 200:
    data = response.json()
    # Let's assume 'host_email' is supposed to be hidden
    print("Host Email:", data.get("host_email", "Not available"))
    print("All Data:", data)
else:
    print("Failed to retrieve meeting data.")

> Note: This example won't work unless you have valid Zoom API credentials and access. It's only to show how an unauthorized field could be fetched if the server doesn’t check permissions.

5. How Was it Fixed?

As of Zoom client version 5.14.10, Zoom moved the security checks to the server side. Now, if you try to request info you’re not allowed to see—as in the example above—the server will reject your request, even if you tamper with the client or the network.

Zoom Security Bulletin:

Zoom Security Bulletin: ZSB-24002

CVE Record:

NIST CVE-2023-36535 entry

Security Advisory by Zoom:

Zoom Release Notes
- Burp Suite Community Edition
- Zoom API Docs for Developers

7. Conclusion & Takeaway

CVE-2023-36535 highlights a classic software mistake: trusting the client too much. Whenever you build a system—especially where sensitive information is involved—always validate and enforce permissions on the server side, no matter what the client says.

If you use Zoom:
Make sure you are running the latest client (5.14.10 or above). If you are an admin, enforce updates organization-wide.

For developers:
Never trust client-side checks for access control. Make your server the gatekeeper!

Stay Safe and Updated

Zoom patched this quickly, but similar issues have affected many platforms. Always keep your software up to date, and be cautious of apps that request or display information outside their intended permissions!


*Written exclusively by GPT-4 for simple, clear understanding of CVE-2023-36535 and its impact.*

Timeline

Published on: 08/08/2023 18:15:00 UTC
Last modified on: 08/11/2023 14:01:00 UTC