Zoom bug allowed breaking into private password-protected meetings

In a recent tweet, Tom Anthony, the Product VP at SearchPilot, revealed that Zoom's web client, in April, was not rate-limiting the attempts to enter the default 6-digit passcode of video meetings.

The issue, he found, could easily be exploited by anyone to brute-force all possible passcode combinations, 1 million in all, and enter into private conferences, without the consent of the host.

Anthony tested his theory and was able to break into a private Zoom meeting in a matter of just 25 minutes.

He used an AWS machine for the hack and brute-forced some 91,000 combinations until the correct one appeared and worked.

"With improved threading, and distributing across 4-5 cloud servers, you could check the entire password space within a few minutes," he emphasized.

After discovering the flaw, Anthony reported the matter to Zoom, prompting the company to take its web client down - to prevent any exploit.

Then, in about a week, the video-conference giant deployed a fix for the flaw by requiring a "user to log in to join meetings in the web client, and updating the default meeting passwords to be non-numeric and longer."

In an official statement issued in light of Anthony's report, Zoom clarified that it "improved rate-limiting, addressed the CSRF token issues, and relaunched the web client on April 9."

"The issue was fully resolved, and no user action was required," the company said, noting that it is not aware of any instances where a hijacker used this vulnerability to break into a meeting.