search

zoom / zoomapps-advancedsample-react

This repository contains an Advanced Zoom Apps Sample. It should serve as a starting point for you to build and test your own Zoom App in development.
MIT License
42 stars 27 forks source link

Insecure X-Zoom-App-Context decryption allows user impersonation #14

Closed Starkteetje closed 5 months ago

Starkteetje commented 7 months ago

The decryptZoomAppContext routine is used to decrypt the X-Zoom-App-Context header. The decrypted value contains important information for the application, such as the user's ID and action, which the Zoom application will act upon. Unfortunately, the decryption process is insecure, as the Node crypto API does not enforce an expected length of the authentication tag, which allows forging values. Depending on the context, varying levels of user impersonation are possible. See https://github.com/zoom/zoomapps-sample-js/issues/24 for details.

SafeeSaif commented 5 months ago

Thanks for bringing this to our attention. This has been patched in the latest release Zoom-App-RefApp-Web-EP-20240625

Starkteetje commented 4 months ago

Hey @SafeeSaif thanks for fixing this in this sample app. I just want to note that it is still unfixed in the remaining sample apps linked in https://github.com/zoom/zoomapps-sample-js/issues/24 and in particular also in the Zoom documentation, so for now most developers of Zoom Apps will likely continue to produce vulnerable Zoom Apps