Documentation and samples for deciphering Zoom's context header contain a security vulnerability

Hello,

I just want to report a possible security breach present in the documentation and in some samples for decrypting the X-Zoom-App-Context HTTP header. A quick search shows that at least those are affected, but there could be more:

  • Documentation: https://developers.zoom.us/docs/zoom-apps/zoom-app-context
  • Basic Zoom Apps JS sample: https://github.com/zoom/zoomapps-sample-js/blob/main/server/helpers/cipher.js
  • Custom Layout Zoom Apps sample: https://github.com/zoom/zoomapps-customlayout-js/blob/main/server/helpers/cipher.js
  • Collaborative text editor Zoom Apps sample: https://github.com/zoom/zoomapps-texteditor-vuejs/blob/main/server/src/helpers/cipher.ts

The Advanced Zoom Apps sample does not have this issue. The relevant code is:

const decipher = crypto
    .createDecipheriv(
      "aes-256-gcm",
      crypto.createHash("sha256").update(secret).digest(),
      iv
    )
    (...)

The option autoTagLength should be set as such:

const decipher = crypto
    .createDecipheriv(
      "aes-256-gcm",
      crypto.createHash("sha256").update(secret).digest(),
      iv,
      {authTagLength: 16}
    )
    (...)

The description of the exploitation can be found there: https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module.

This has been reported by our internal security tools, and we suspect others could introduce this vulnerability in their code by copy/pasting from Zoom’s documentation or samples.

It would be great if all the occurrences could be fixed. Thanks!

1 Like