A security issue in popular video conferencing platform Zoom was disclosed this week, which could have allowed attackers to crack private meeting passcodes and snoop in on video conferences.
The problem, which has already been fixed, stems from Zoom not having any check against repeated incorrect meeting password attempts. The six-digit, numeric passwords protect Zoom meetings, and were added to meetings by default by Zoom in April as an extra security measure to prevent “Zoom bombers” from freely entering and hijacking meetings.
Upon discovering this problem, “I spent time reverse engineering the endpoints for the web client Zoom provide, and found I was able to iterate over all possible default passwords to discover the password for a given private meeting,” said Tom Anthony, VP Product at SearchPilot, in a Wednesday post.
The issue stems from Zoom lacking a “fairly standard principle of password security,” Anthony said, which is to rate limit password attempts. Put simply, this means an attacker could iterate over a list of passwords and then leverage Zoom’s web client and continuously send HTTP requests to attempt to check all the passwords – with no incorrect password limits stopping them.
“This enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings,” he said.
Upon reporting the issue to Zoom on April 1, the tech company took the web client offline and fix the problem by April 9. Anthony said Zoom appears to have mitigated the issue by both requiring a user logs in to join meetings in the web client, and updating default meeting passwords to be non-numeric and longer.
“Upon learning of this issue on April 1st, we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations,” a Zoom spokesperson told Threatpost. “We have since improved rate limiting, addressed the CSRF token issues and relaunched the web client on April 9th. With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild. We thank Tom Anthony for bringing this issue to our attention.”
Zoom has been under scrutiny for its security policies since the coronavirus pandemic drove remote collaboration – and thus its user base – up. However, Anthony said that after he reported the problem, Zoom’s response was fast, and they quickly addressed the rate limiting issue.
“I’m aware Zoom have been under a lot of scrutiny for their security practices given their sudden spike in usage brought about by the COVID-19 pandemic,” he said. “From my interactions with the team, they seemed to care about the security of the platform, and their users and they seemed appreciative of the report.”
Previous, varying vulnerabilities have been discovered in the popular app. In July, a bug in the Zoom Client for Windows was disclosed, which could allow remote code-execution. And, in April, two zero-day flaws were uncovered in Zoom’s macOS client version, which could have given local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera. Zoom quickly patched the issues upon being alerted to them.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar.