Zoom bug lets attackers to crack private meeting passwords


Popular video conferencing app Zoom fixed a new security flaw that could have let attackers to crack the numeric passcode used to secure private meetings on the platform and snoop on participants.

Zoom meetings were protected by a 6-digit numeric password which means 1 million maximum passwords by default.

Tom Anthony, VP Product at SearchPilot, spotted the vulnerability in the Zoom web client which allowed attackers to guess any meeting’s password by trying all possible combinations until finding the correct one.

He stated that by exploiting the vulnerability, an attacker can attempt all 1 million passwords in a matter of minutes and gain access to other people’s password protected private Zoom meetings.

Also, recurring meetings including Personal Meeting IDs (PMIs) will always have the same passcode so attackers would only have to crack them once and gain permanent access to future sessions.

Anthony demonstrated that he could crack a meeting’s password (including scheduled meetings) within 25 minutes after checking 91,000 passwords using an AWS machine.

He added that with improved threading, and distributing across 4-5 cloud servers you could check the entire password space within a few minutes.

Anthony reported the Zoom web client issue to the company in April, along with a Python proof of concept to show how attackers could brute-force their way into any password-protected meeting.

Within a week, Zoom addressed the password attempt rate limiting issue by “requiring a user logs in to join meetings in the web client, and updating default meeting passwords to be non-numeric and longer.”

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Critical GRUB2 Bootloader bug affects billions of Linux and Windows Systems

    Previous article

    Three suspects charged for the biggest Twitter hack

    Next article

    You may also like


    Leave a reply

    Your email address will not be published. Required fields are marked *