←back to thread

Zoom outage caused by accidental 'shutting down' of the zoom.us domain

(status.zoom.us)
634 points RVRX | 4 comments | 17 Apr 25 00:55 UTC | HN request time: 0.003s | source
Show context
lrvick ◴[17 Apr 25 18:08 UTC] No.43720317[source]
To try to convince my employer at the time to drop Zoom, I decided to see how many security vulns I could find in 2-3 hours.

Found 12 confirmed bugs in that window using only binwalk and osint.

The worst was that I noticed the zoom.us godaddy account password reset email address was the personal gmail account of Eric S Yuan, the CEO.

So, I tried to do a password reset on his gmail account. No 2FA, and only needed to answer two reset questions. Hometown, and phone number. Got those from public data and got my reset link, and thus, the ability to control the zoom.us domain name.

They were unable to find a single English speaking security team member to explain these bugs to, and it took them 3 months to confirm them and pay me $800 in bug bounties, total, for all 12 bugs.

The one bright side is this did convince my employer to drop them.

replies(3): >>43720543 #>>43723875 #>>43726859 #
popcalc ◴[18 Apr 25 11:02 UTC] No.43726859[source]
You're admitting to committing a felony?
replies(1): >>43726899 #
1. MiguelX413 ◴[18 Apr 25 11:08 UTC] No.43726899[source]
White hat hacking is fine.
replies(1): >>43728413 #
2. popcalc ◴[18 Apr 25 14:29 UTC] No.43728413[source]
If you password reset my personal Gmail account I will sic the FBI on your tail without a second thought. Not cool.
replies(2): >>43733715 #>>43734244 #
3. lrvick ◴[19 Apr 25 02:26 UTC] No.43733715[source]
You can try, but they will not do anything unless I do actual harm.

https://www.justice.gov/archives/opa/pr/department-justice-a...

If you do not want your gmail password reset, I recommend hardware 2FA.

4. hunter2_ ◴[19 Apr 25 04:38 UTC] No.43734244[source]
The story says that the password reset link was received, which proves the vulnerability without actually denying service, causing loss, etc. As an analogy, the attacker found a key to a door but did not proceed to open the door.

It doesn't say the password reset link was used to change the password, which would deprive the account owner access and grant unauthorized access which of course would be illegal.