Skip to Main Content
Status Will not implement
Created by Guest
Created on Nov 24, 2020

Huge Security Vulnerability: Remove the "Express Link" feature or provide an option to disable it tenant-wide

For those who haven't noticed it, RingCentral's mobile app has an "Express Link" sign-in feature.

The feature is mentioned in this KB article:

"Please note: If you’re logging with your mobile device, you may also have the option to sign in with an express link. If you choose to sign in with an express link, they will send you an email to the email address linked to your account to perform an express login. "

The way it works is very simple and also very dangerous: After entering an email address to sign in, instead of asking for password, the app instead offers to send you an email with a special "express link" which contains an authentication token. When the link is clicked, the mobile app is logged in automatically.

The idea behind this feature is to obviously make it easier for mobile users to sign in, as typing password on a mobile device is likely slower than a desktop keyboard. But unfortunately this is extremely risky and prone to abuse from an IT perspective.

I recently discovered this after being targeted by a phishing attack myself: I received 100% real emails coming from RingCentral themselves, with real links to the RingCentral website, asking me to "confirm" my sign in.

Obviously, the attacker can enter *any RC user's* email to initiate a login, and "Express Link" will proceeded to send a link to that email address.

It takes one click, just one click, and the attacker would have been able to sign in as the user on the attacker's mobile app.

Anyone who has worked in IT will understand that no matter how much you warn and educate your users, someone will click that link when you send it to enough of them, enough times.

The way it is implemented by RingCentral is even more dangerous than the common phishing attack schemes: in those attacks, the intruder has to send a fake email from a fake server ("spoofing") using a fake URL to lure the user into providing their credentials.

These typical phishing emails have a good chance of being blocked by a good email security system, and any vigilant user has a chance to inspect the URL of the link to realize that it's not from the right domain name. Finally, there is also the "multi-factor/2-factor authentication" mechanism to act as a final check if the credentials are ultimately compromised.

By contrast, the "Express Link" RingCentral sends out is 100% "real". It has a good chance of getting delivered right into the inbox, and the links in them point to the real

Of course, it has the standard warning message to remind the user that they should only click it if they expect it, and to call if they don't or suspect any wrong doing. By the way, the number provided isn't even a fraud hotline. It just leads to the standard support line, which is subject to a series of menus and options before the user can speak to a representative.

But again, someone out there, quite a few of them in this case, will just click that link. That's a fact. And their accounts will easily get compromised in the most effortless way for the attackers: they never even had to know their passwords or compromise their email accounts. It's like they "politely" asked to be in, and were then let in promptly, just like that.

The very idea that a link sent to one user's email box would allow any other user on the other side of the world to login without further authentication is outright dangerous. This design is deeply flawed and should have never been approved by RingCentral's security team.

So RingCentral, if you see this, please strongly considering removing this feature altogether or at least provide your customers with an option to disable it on the entire tenant.

If you're a RingCentral user, you're probably affected by this vulnerability unless your organization uses SSO (I assume this does not affect SSO tenants, but haven't tested). Please upvote this to protect yourself and other users in your organization.

Product Line RingCentral App
  • Admin
    Becky Hensley
    Dec 17, 2020

    Mike, Just wanted to reach out to you, as I checked in with our security team.
    The reassured me, and asked that I extend to you, their assurances that this process is sound.
    If someone attempts to gain access to your account via the Express Link feature, they will not be able to gain access to your RingCentral account...unless they have access to your email.
    Keeping security protocols in place regarding company's emails is the best protection here.

    Thanks for your vigilance. If you have additional questions or we can have someone from the security team assist further, please reach out to us at