The attacker crafts a ZoomInfo phishing email to trick a user into loading the modified authorization URL.They take the authorization URL and change the redirect_uri parameter value supplied by ZoomInfo to their own attacker-controlled domain. The attacker initiates a Hubspot integration, leading to Hubspot's authorization page.An attacker signs up to the ZoomInfo platform.
The following steps outline a realistic attack scenario that can occur, leading to stolen Hubspot data: In the above section, I have outlined steps to reproduce this vulnerability. Click on "Authorize" to begin setup of the integration.
The attacker then can trick a user into clicking on the malicious authorization URL, leaking their authorization code upon consent and subsequently exposing their Hubspot data. The connector uses the OAuth 2.0 Authorization Code Grant to help enable this integration.Īn attacker can exploit an Open Redirect vulnerability during this flow by changing the original redirect_uri value to an attacker-controlled domain, to produce a malicious authorization URL. ZoomInfo's "connector" to Hubspot allows customers to integrate their Hubspot account to automatically sync and enrich company/contact data across both platforms. It has been more than 5 months since my submission but the security issue still exists (re-tested as of April 5th 2020). In addition to ZoomInfo, DiscoverOrg has also acquired iProfile, RainKing, Neverbounce, Komiko, and Tellwise and is backed by investment from TA & Associates, the Carlyle Group, and 22C Capital.Unfortunately, this is where the updates have stopped even after repeated follow-ups. 5000 list of the world’s fastest growing private companies. They have also secured multiple consecutive honors on the Inc. The combined organization serves over 15,000 customers and 120,000 users across the globe.īoth DiscoverOrg and ZoomInfo were recognized by G2Crowd as 2019 Top 100 Software Products and Top 10 Best Products for Sales. Together, DiscoverOrg and ZoomInfo now offer the most actionable and accurate business insights available today. ZoomInfo was recently acquired by DiscoverOrg in February 2019. For over a decade, our applications have empowered globally recognized companies like Accenture, Dell and PayPal, to achieve their most important objective: Profitable growth. ZoomInfo Powered by DiscoverOrg has combined an innovative suite of software tools with deep, high-quality data to transform and enable modern sales teams and go-to-market organizations.
0 kommentar(er)
