A BASIC Zoom flaw could have let hackers break into any private meeting.
Until recently, Zoom only had one million possible passcodes for meetings.
2
This may seem like a large number but it could have let cybercriminals guess a correct passcode within minutes.
The flaw was spotted by Tom Anthony from SEO firm SearchPilot.
Zoom had no limit to the amount of times you could try and log in to a meeting, meaning multiple passwords could be tried.
Anthony wrote on his blog: “Zoom meetings were default protected by a 6 digit numeric password, meaning 1 million maximum passwords.
2
“I discovered a vulnerability in the Zoom web client that allowed checking if a password is correct for a meeting, due to broken CSRF and no rate limiting.
“This enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings.
“This also raises the troubling question as to whether others were potentially already using this vulnerability to listen in to other people’s calls (e.g. the UK Cabinet Meeting!).”
Hackers can use something called a Python program to try a huge number of passwords in minutes.
Batch-scheduled meetings set at regular intervals were particularly vulnerable to this as the same passcode can be used for all of them.
Fortunately, the flaw has been patched.
Anthony wrote: “I reported the issue to Zoom, who quickly took the web client offline to fix the problem.
“They seem to have mitigated it by both requiring a user logs in to join meetings in the web client, and updating default meeting passwords to be non-numeric and longer. Therefore this attack no longer works.”
The problem was revealed to Zoom on April 1, which led to a one week outage for it to be fixed.
Zoom passwords now need to be longer and contain non-numerical characters.
Zoom explained in a statement: “We have since improved rate limiting and relaunched the web client on April 9.
“With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild.”
However, Anthony noted that a hacker may have infiltrated a meeting without the other participants noticing by using a generic ID like “iPhone” or “Home PC”.
What is Zoom?
- Popular chat app Zoom is best-known for offering video calls – including calls with huge numbers of people
- There’s a free tier with unlimited meetings, but these group chats are capped at 40 minutes
- The most expensive tier gets you meetings with up to 1,000 participants, but there are cheaper options
- Perhaps the only downside is that Zoom has had privacy issues in the past, which may put some businesses off
- Signing up to Zoom is free and easy
- You just need a valid email address, and the willingness to accept Zoom’s privacy policy and terms – which are fairly standard
- Anyone can sign up to Zoom by download the app, or heading to the official website
In other news, Android users are being warned about 29 malicious apps that have been downloaded by millions.
Netflix lovers are being warned about a new email scam claiming to offer a year’s free subscription to the service.
And, Garmin is back online after being targeted by hackers.
Have you experienced any problems with Zoom? Let us know in the comments…
We pay for your stories! Do you have a story for The Sun Online Tech & Science team? Email us at tech@the-sun.co.uk
