Zoom bug gave hackers access to any private meeting

Zoom was forced to amend password policies

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A simple vulnerability found in the web client ofvideo conferencingplatformZoomcould have allowed hackers to listen in on any private meeting of their choosing.

Identified by Tom Anthony, VP Product atSEOfirm SearchPilot, the Zoom vulnerability stemmed from the absence of rate limiting on private meeting log in attempts.

As Anthony explains in a recentblog post, Zoom meetings used to be protected by a 6-digit numeric password, making for a maximum of one million different permutations. This might sound like a considerable number but, using a simple Python program, a hacker could easily trial all possiblepasswordsand brute force their way into any meeting in minutes.

Meetings set to take place at regular intervals were particularly vulnerable to attack, since the password remains the same for each batch-scheduled meeting.

Zoom security

Zoom has experienced a sharp uptick in user numbers in recent months and currently serves over 300 million daily meeting participants.

Having rocketed into public consciousness as a result of coronavirus lockdown measures and the rise of remote working, Zoom has faced significant scrutiny where security is concerned.

Since March, researchers have uncovered a litany of vulnerabilities in the service - from the opportunity for credential theft to app hijacking, malicious code injection and more - forcing the company to suspend product development for a period to focus on eliminating security bugs.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

After verifying the brute force exploit using a crudePythonprogram running on an AWS machine, Anthony disclosed the vulnerability on April 1, which led to the suspension of the Zoom web client on April 2 - an outage that lasted one week.

During this time, Zoom implemented policy that required web client users to log into an account before joining a meeting. The company also made default passwords longer and included non-numeric characters, drastically increasing the number of possible password permutations.

“We have since improved rate limiting and relaunched the web client on April 9. With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild,” Zoom explained in a statement.

As Anthony notes, however, it is plausible an attacker might have infiltrated a Zoom meeting by this vector without alerting the other participants, hidden behind a generic user ID such as “iPhone” or “Home PC”.

ViaBleeping Computer

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He’s responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time