Zoom Video Communications Public Statement
February 27, 2018
On February 27, 2018, CERT announced a recently-discovered, SAML-based single sign-on (SSO) vulnerability which, if exploited, could impersonate a different user or privileged account. Details about the reported vulnerability can be found on the Duo Labs website here.
Who is potentially impacted by this vulnerability?
Any organization that leverages SAML-based SSO maybe be at risk.
How does this affect your Zoom account?
Zoom is a service provider and supports SAML-based SSO to allow user to login to Zoom services using their company’s credentials. Zoom works with any identity provider (IdP) that supports SAML 2.0.
What is Zoom doing to mitigate this vulnerability?
Zoom’s Security and Engineering teams have verified that we are not directly affected by this vulnerability. We are reaching out to IdPs that we support to ensure that they are evaluating the vulnerability, and if needed, taking necessary steps to mitigate this threat.
What do I need to do?
If your company uses SAML-based SSO, reach out to your SAML provider to make sure they are evaluating the vulnerability and taking steps to mitigate the threat.