Zoom bug allowed breaking into private password-protected meetings
What's the story
Even after all the promises, video conferencing giant Zoom keeps running into security issues. Just recently, we detailed a bug in the service that allowed mimicking of reputed organizations, and now, in another case, a researcher has reported a vulnerability that allowed cracking of private meeting passwords in a matter of minutes. Here is all you need to know about it.
Passcodes
No rate limiting in six-digit passcode of meetings
In a recent tweet, Tom Anthony, the Product VP at SearchPilot, revealed that Zoom's web client, in April, was not rate-limiting the attempts to enter the default 6-digit passcode of video meetings. The issue, he found, could easily be exploited by anyone to brute-force all possible passcode combinations, 1 million in all, and enter into private conferences, without the consent of the host.
Demo
He tested the theory, broke into a meeting
Anthony tested his theory and was able to break into a private Zoom meeting in a matter of just 25 minutes. He used an AWS machine for the hack and brute-forced some 91,000 combinations until the correct one appeared and worked. "With improved threading, and distributing across 4-5 cloud servers, you could check the entire password space within a few minutes," he emphasized.
Twitter Post
Here is Anthony's tweet
So a few months ago I realised Zoom doesn't rate limit password attempts for meetings, and has only 1 million passwords. Meaning you could join private meetings within minutes. 😮 https://t.co/NDUEmzUprX
— Tom Anthony (@TomAnthonySEO) July 29, 2020
Report
Then, the bug was reported to Zoom, fix was deployed
After discovering the flaw, Anthony reported the matter to Zoom, prompting the company to take its web client down - to prevent any exploit. Then, in about a week, the video-conference giant deployed a fix for the flaw by requiring a "user to log in to join meetings in the web client, and updating the default meeting passwords to be non-numeric and longer."
Statement
No evidence of issue being exploited, Zoom clarified
In an official statement issued in light of Anthony's report, Zoom clarified that it "improved rate-limiting, addressed the CSRF token issues, and relaunched the web client on April 9." "The issue was fully resolved, and no user action was required," the company said, noting that it is not aware of any instances where a hijacker used this vulnerability to break into a meeting.