A security researcher has uncovered a critical flaw with the video conferencing app Zoom that lets anyone break into a password-protected meeting.
Tom Anthony, from SEO firm SearchPilot, wrote on his blog how Zoom would only lock meetings with a six digit numeric password.
That meant there was a total of one million possible combinations.
It seems like a large number, but cybercriminals are able to get hold of tools that would cycle through it in a few minutes.
‘I discovered a vulnerability in the Zoom web client that allowed checking if a password is correct for a meeting, due to broken CSRF and no rate limiting,’ Tom wrote.
‘This enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings.
‘This also raises the troubling question as to whether others were potentially already using this vulnerability to listen in to other people’s calls (e.g. the UK Cabinet Meeting!).’
Tom contacted Zoom about the flaw and the US company has patched the issue to make sure it’s not exploited in the future.
He explained that meetings scheduled in batch would be particularly vulnerable to this vulnerability as they all used the same passcode. If meetings were big enough, it would be possible for an attacker to slip in unnoticed and eavesdrop or zoombomb.
‘I reported the issue to Zoom, who quickly took the web client offline to fix the problem,’ Tom wrote.
He revealed the flaw to the company back in April. To its credit, Zoom got on the case and fixed the issue quickly.
‘They seem to have mitigated it by both requiring a user logs in to join meetings in the web client, and updating default meeting passwords to be non-numeric and longer. Therefore this attack no longer works,’ Tom wrote.
Zoom has seen its user base grow exponentially since the coronavirus lockdown began – jumping from around 10 million to over 200 million participants as people attempted to work and study from home as well as stay in touch with friends and family.
Several online safety agencies issued guides on how to use the platform, such has been the rapid rise of Zoom’s popularity.
Zoom chief executive Eric Yuan announced several security updates back in April: ‘I am proud to reach this step in our 90-day plan, but this is just the beginning.
‘We built our business by delivering happiness to our customers.
‘We will earn our customers’ trust and deliver them happiness with our unwavering focus on providing the most secure platform.’
Source: Read Full Article