The popular Zoom video conferencing application recently fixed a new security flaw that could have allowed potential attackers to crack the numerical access code used to secure private meetings on the platform and spy on participants.
Zoom meetings are protected by default with a six-digit numeric password, but according to Tom Anthony, vice president of products for SearchPilot who identified the problem, the lack of speed limitation allowed “one attacker to try all 1 million passwords on a matter of minutes and gain access to other people’s private (password protected) Zoom meetings. “
It’s worth noting that Zoom started requiring an access code for all meetings in April as a preemptive measure to combat Zoom’s bombing attacks, which refers to the act of interrupting and hijacking Zoom meetings without inviting them to share obscene content and racist.
Anthony reported the security issue to the company on April 1, 2020, along with a Python-based proof of concept script, a week after Zoom fixed the problem on April 9.
The fact that meetings were, by default, secured by a six-digit code meant that there could only be a maximum of one million passwords.
But in the absence of controls for repeated wrong password attempts, an attacker can take advantage of the Zoom web client (https://zoom.us/j/MEETING_ID) to continuously send HTTP requests to test all million combinations.
“With an improvement in threading and distribution across 4-5 cloud servers, I could verify all the password space in a few minutes,” said Anthony.
The attack worked with recurring meetings, implying that the bad actors might have had access to the ongoing meetings once the access code was cracked.
The researcher also found that the same procedure could be repeated even with scheduled meetings, which have the option of overriding the default access code with a longer alphanumeric variant, and executing it against a list of the top 10 million passwords to force a start of session by brute force.
Separately, a problem was discovered during the login process using the web client, which employed a temporary redirect to seek clients’ consent to their terms of service and privacy policy.
“There was a CSRF HTTP header sent during this step, but if you omitted it, the request seemed to work fine anyway,” said Anthony. “The failure of the CSRF token made it even easier to abuse than it otherwise would be, but fixing that would not provide much protection against this attack.”
Following the findings, Zoom took the web client offline to mitigate the issues on April 2 before issuing a solution a week later.
Attracted the scrutiny of a number of security concerns as its use skyrocketed during the coronavirus pandemic, the video conferencing platform has quickly fixed the flaws as they were discovered, even going as far as to announce a 90-freeze days launching new features to “proactively identify, address, and troubleshoot.”
Earlier this month, the company addressed a zero-day vulnerability in its Windows application that could allow an attacker to execute arbitrary code on a victim’s computer running Windows 7 or earlier.
It also fixed a separate flaw that could have allowed attackers to imitate an organization and trick its employees or business partners into revealing personal or other confidential information through social engineering attacks.
.
