Hello,
I just want to report a possible security breach present in the documentation and in some samples for decrypting the X-Zoom-App-Context
HTTP header. A quick search shows that at least those are affected, but there could be more:
- Documentation:
https://developers.zoom.us/docs/zoom-apps/zoom-app-context
- Basic Zoom Apps JS sample:
https://github.com/zoom/zoomapps-sample-js/blob/main/server/helpers/cipher.js
- Custom Layout Zoom Apps sample:
https://github.com/zoom/zoomapps-customlayout-js/blob/main/server/helpers/cipher.js
- Collaborative text editor Zoom Apps sample:
https://github.com/zoom/zoomapps-texteditor-vuejs/blob/main/server/src/helpers/cipher.ts
The Advanced Zoom Apps sample does not have this issue. The relevant code is:
const decipher = crypto
.createDecipheriv(
"aes-256-gcm",
crypto.createHash("sha256").update(secret).digest(),
iv
)
(...)
The option autoTagLength
should be set as such:
const decipher = crypto
.createDecipheriv(
"aes-256-gcm",
crypto.createHash("sha256").update(secret).digest(),
iv,
{authTagLength: 16}
)
(...)
The description of the exploitation can be found there: https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module
.
This has been reported by our internal security tools, and we suspect others could introduce this vulnerability in their code by copy/pasting from Zoom’s documentation or samples.
It would be great if all the occurrences could be fixed. Thanks!