image
A security issue in popular video conferencing platform Zoom was disclosed this week, which could have allowed attackers to crack private meeting passcodes and snoop in on video conferences. The problem, which has already been fixed, stems from Zoom not having any check against repeated incorrect meeting password attempts. The six-digit, numeric passwords protect Zoom meetings, and were added to meetings by default by Zoom in April as an extra security measure to prevent “Zoom bombers” from freely entering and hijacking meetings. Upon discovering this problem, “I spent time reverse engineering the endpoints for the web client Zoom provide, and found I was able to iterate over all possible default passwords to discover the password for a given private meeting,” said Tom Anthony, VP Product at SearchPilot, in a Wednesday post. The issue stems from Zoom lacking a “fairly standard principle of password security,” Anthony said, which is to rate limit password attempts. Put simply, this means an attacker could iterate over a list of passwords and then leverage Zoom’s web client and continuously send HTTP requests to attempt to check all the passwords – with no incorrect password limits stopping them. “This enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings,” he said. Upon reporting the issue to Zoom on April 1, the tech company took the web client offline and fix the problem…

Source