Now there is a fix in Zoom’s code for exploiting private meetings
A basic flaw in the web client and video conferencing platform called Zoom has recently been identified by Tom Anthony, VP Product at the SEO firm SearchPilot. The detected vulnerability is a result of a lack of rate restriction on the private meeting logging attempts and could have allowed hackers to break in at any private meeting in just a few minutes.
As stated in a recent blog post on Anthony’s website, a 6-digit numeric password was used to keep Zoom meetings protected. That makes a maximum of 1 million password variations, which may initially sound like a big number, but, in fact, a hacker can easily try out all the possible password variations with the help of a simple Python program and log into any meeting without a problem.
The most vulnerable meetings to this attack are those that are scheduled to take place on a regular basis because the password for each batch meeting remains the same, Anthony explains.
As a result of the coronavirus lockdown and the increase of remote working in recent months, the Zoom platform has seen a massive rise in user numbers, serving more than 300 million meeting participants every day. At the same time, Zoom has been facing significant security scrutiny since researchers have uncovered several faults in the software – from the possibility of password theft to hacking, to malicious code injection, and more.
This has forced the company to set on pause its product innovations for a while and focus into fixing security concerns. The vulnerability that was discovered by Tom Anthony was firstly verified with a crude Python program running on an AWS machine. Then, on first of April, it was disclosed and resulted in suspension of the Zoom web client for the next day, followed by an outage that lasted for one week.
In that one week, Zoom implemented a policy requiring the web client users to sign into an account before entering a meeting. Improvements in the default passwords length and its variations were made with non-numeric characters included. This resulted in a significant increase in the number of password permutations.
In a statement, Zoom explains that they have re-launched the web client on 9th of April and the measures they have taken have improved the rate limiting. According to them, these solutions have fixed the issue entirely and do not require any user intervention. The company also claims that is not aware of any cases where the reported vulnerability has been exploited.
However, it is perfectly possible that an intruder could have sneaked inside a Zoom meeting through this security weakness without alerting other participants by simply hiding behind a generic user ID, Anthony points out.