Page Loader
Zoom bug allowed breaking into private password-protected meetings

Zoom bug allowed breaking into private password-protected meetings

Jul 30, 2020
07:11 pm

What's the story

Even after all the promises, video conferencing giant Zoom keeps running into security issues. Just recently, we detailed a bug in the service that allowed mimicking of reputed organizations, and now, in another case, a researcher has reported a vulnerability that allowed cracking of private meeting passwords in a matter of minutes. Here is all you need to know about it.

Passcodes

No rate limiting in six-digit passcode of meetings

In a recent tweet, Tom Anthony, the Product VP at SearchPilot, revealed that Zoom's web client, in April, was not rate-limiting the attempts to enter the default 6-digit passcode of video meetings. The issue, he found, could easily be exploited by anyone to brute-force all possible passcode combinations, 1 million in all, and enter into private conferences, without the consent of the host.

Demo

He tested the theory, broke into a meeting

Anthony tested his theory and was able to break into a private Zoom meeting in a matter of just 25 minutes. He used an AWS machine for the hack and brute-forced some 91,000 combinations until the correct one appeared and worked. "With improved threading, and distributing across 4-5 cloud servers, you could check the entire password space within a few minutes," he emphasized.

Twitter Post

Here is Anthony's tweet

Report

Then, the bug was reported to Zoom, fix was deployed

After discovering the flaw, Anthony reported the matter to Zoom, prompting the company to take its web client down - to prevent any exploit. Then, in about a week, the video-conference giant deployed a fix for the flaw by requiring a "user to log in to join meetings in the web client, and updating the default meeting passwords to be non-numeric and longer."

Statement

No evidence of issue being exploited, Zoom clarified

In an official statement issued in light of Anthony's report, Zoom clarified that it "improved rate-limiting, addressed the CSRF token issues, and relaunched the web client on April 9." "The issue was fully resolved, and no user action was required," the company said, noting that it is not aware of any instances where a hijacker used this vulnerability to break into a meeting.