Critical Zoom Flaw Allows Hackers to Crack Private Meeting Password

In the past few months, Zoom has gained very much popularity, and also Zoom video conferencing has fixed many security flaws that could allow an attacker to perform illegal tasks.

Recently Zoom has also fixed one such flaw that could allow an attacker to crack the numeric passcode of the Zoom private meeting and can snoop on private meetings.

The security flaw was founded by Tom Anthony, VP Product at SearchPilot, he found that initially Zoom meetings were protected with a six-digit numeric password, he witnessed that if an attacker can attempt all 1 Million password in a minute can allow him to crack the password for the private Zoom meeting.

The bug was present due to the lack of Rate limiting. Initially, in April when the Zoom-bombing attacks were increased, Zoom started using passcode for the meetings to stops the Zoom-bombers to spoil the meeting.

UK Government Cabinet Meeting, over Zoom, clearly showing the meeting ID.
The government has reassured the call was password protected.
Courtesy: Tom Anthony
===FOUND PASSWORD===
Password: 170118
Passwords tried: 43164
took 28m 52s 392ms
There was an unnamed, muted & hidden participant in the Cabinet Meeting
Courtesy: Tom Anthony

After all the Zoom meeting was protected by the six-digit passcode which means that there would be a maximum of 1 Million passcodes but there was no mechanism to check the absence of the repeated number of attempts.

This could allow an attacker to continuously send HTTP requests to try all the one million attempts.

There was a CSRF HTTP header sent during this step, but if you omitted it then the request still seemed to just work fine anyway

Anthony said

The researcher also found that this method also works with scheduled meetings which have the option to override default alphanumeric passcode to try with the top 10 million passcode attempts with brute-force technique.

After finding the flaw the researcher reported it to the company and the patch was released for the security flaw.

The failure on the CSRF token made it even easier to abuse than it would be otherwise, but fixing that wouldn’t provide much protection against this attack

Anthony added

In the past also there have been many flaws found on the Zoom platform earlier this month a zero-day was discovered that could allow an attacker to execute the arbitrary code on the victim’s system.

3 thoughts on “Critical Zoom Flaw Allows Hackers to Crack Private Meeting Password

  1. I am extremely impressed with your writing skills as well
    as with the layout on your weblog. Is this a paid theme or did you
    customize it yourself? Anyway keep up the excellent quality
    writing, it’s rare to see a great blog like this one these days.

  2. First off I want to say awesome blog! I had a quick question that I’d
    like to ask if you don’t mind. I was curious to find out how you center
    yourself and clear your head prior to writing.

    I have had trouble clearing my thoughts in getting my thoughts out.
    I truly do enjoy writing however it just seems like the first 10 to 15 minutes are usually
    lost just trying to figure out how to begin. Any suggestions or tips?
    Kudos!

Leave a Reply

Your email address will not be published. Required fields are marked *

14 − ten =

Do NOT follow this link or you will be banned from the site!