Zulip Cloud security vulnerability with reusable invitation links

An internal investigation recently uncovered a vulnerability (identified as CVE-2022-21706) in Zulip’s invitation links. Specifically, a reusable invitation link could be used to join a different organization than the one it was created for. As a result, there was a potential for users to join any organization without an invitation (and bypassing domain restrictions).

This vulnerability was discovered by the Zulip security team, and has now been fixed for all Zulip Cloud organizations. It has been present since the first reusable invitation links were created in October 2017, though only a handful of such links existed before the menu option for creating them was introduced in February 2019.

It was also possible to use this vulnerability to join an organization with elevated permissions (e.g. in a moderator or administrator role). However, we are confident that there were no instances of this happening on Zulip Cloud.

Was my organization was affected by this vulnerability?

We have performed an extensive examination of all Zulip Cloud audit logs, and have identified 4 instances where it looks like users may have accidentally exploited this vulnerability. These users joined an organization for which they had a legitimate invite by accidentally using a second invitation not from that organization.

Our investigation did not find any evidence that this vulnerability was ever discovered by someone outside the Zulip security team, or exploited on purpose. However, we have contacted all organizations for which our audit cannot prove conclusively that they were not affected. If you receive an email from us and your organization was invite-only at any point, we recommend reviewing the attached list of users to confirm that everything is as expected.

If you administer a Zulip Cloud organization and do not receive an email from us today, your organization was not affected by this vulnerability.

Parting thoughts

For self-hosted installations of Zulip, this vulnerability is fixed in the Zulip 4.10 release and discussed in the release blog post. Most self-hosted Zulip servers are not affected because they only host a single organization.

On behalf of Kandra Labs, I’d like to apologize for this security vulnerability. Keeping data that users have entrusted to us safe is the single most important thing we do, and we consider this category of incident unacceptable.

If you have any questions or concerns, or discover any unexpected accounts, please reach out to us at security@zulip.com.