A security issue in popular video conferencing platform Zoom was disclosed this week, which could have allowed attackers to crack private meeting passcodes and snoop in on video conferences. The problem, which has already been fixed, stems from Zoom not having any check against repeated incorrect meeting password attempts. The six-digit, numeric passwords protect Zoom meetings, and were added to meetings by default by Zoom in April as an extra security measure to prevent “Zoom bombers” from freely entering and hijacking meetings. Upon discovering this problem, “I spent time reverse engineering the endpoints for the web client Zoom provide, and found I was able to iterate over all possible default passwords to discover the password for a given private meeting,” said Tom Anthony, VP Product at SearchPilot, in a Wednesday post. The issue stems from Zoom lacking a “fairly standard principle of password security,” Anthony said, which is to rate limit password attempts. Put simply, this means an attacker could iterate over a list of passwords and then leverage Zoom’s web client and continuously send HTTP requests to attempt to check all the passwords – with no incorrect password limits stopping them. “This enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings,” he said. Upon reporting the issue to Zoom on April 1, the tech company took the web client offline and fix the problem…
https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png 0 0 govanguard https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2020-07-30 17:40:002020-07-30 17:40:00Zoom Flaw Could Have Allowed Hackers To Crack Meeting Passcodes
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email email@example.com