An OAuth app token outlives the user: bulk Zoom recording exfiltration
An over-scoped Zoom OAuth app with recording:read holds a long-lived token. Abused, it enumerates and downloads cloud recordings and transcripts account-wide.
OAuth apps in SaaS hold their own tokens and their own standing scopes. They are non-human identities that keep working after the user who installed them logs off, so if the actor is an app token, suspending a user changes nothing.
How the attack works
A malicious or over-scoped OAuth app installed in the Zoom account holds the recording:read scope and a long-lived app token. An attacker drives that token through the Zoom recordings API to enumerate and download cloud recordings and transcripts in bulk, well beyond the per-meeting processing the app normally does. The account activity and operation logs show the app’s token listing recordings account-wide at machine speed and pulling download URLs and VTT transcripts, including executive and legal meetings, before staging them off-platform. In ATT&CK terms this is T1528, Steal Application Access Token, paired with T1567, Exfiltration Over Web Service.
Why it works
The app was granted recording:read account-wide with no admin review and no restriction on which apps may read recordings. Its token is decoupled from any user’s session, so the standing grant keeps working independently of the person who installed it.
How to fix it
Resetting the installing user’s password does nothing, because the app authenticates with its own token. Revoke the OAuth app’s authorization in the Zoom admin or Marketplace and rotate its client secret, which invalidates both access and refresh tokens, then scope what it accessed. A firewall IP block is bypassed and deleting recordings destroys evidence. For the root cause, enforce app admin pre-approval and allow-listing, audit all installed OAuth apps and their scopes, remove or down-scope account-wide recording access, and require periodic re-consent. Scope the exfiltration from the recording access log filtered to the app token and window, and weigh privilege, material-nonpublic, and personal-data obligations along with the app vendor’s data-processing agreement.
Practice it
We built this as a GraphLattice Range scenario so security teams can rehearse revoking an over-scoped OAuth grant and rotating its secret, not suspending the user who installed it.