Popular video conferencing app Zoom fixed a new security flaw that could have let attackers to crack the numeric passcode used to secure private meetings on the platform and snoop on participants.
Zoom meetings were protected by a 6-digit numeric password which means 1 million maximum passwords by default.
Tom Anthony, VP Product at SearchPilot, spotted the vulnerability in the Zoom web client which allowed attackers to guess any meeting’s password by trying all possible combinations until finding the correct one.
He stated that by exploiting the vulnerability, an attacker can attempt all 1 million passwords in a matter of minutes and gain access to other people’s password protected private Zoom meetings.
Also, recurring meetings including Personal Meeting IDs (PMIs) will always have the same passcode so attackers would only have to crack them once and gain permanent access to future sessions.
Anthony demonstrated that he could crack a meeting’s password (including scheduled meetings) within 25 minutes after checking 91,000 passwords using an AWS machine.
He added that with improved threading, and distributing across 4-5 cloud servers you could check the entire password space within a few minutes.
Anthony reported the Zoom web client issue to the company in April, along with a Python proof of concept to show how attackers could brute-force their way into any password-protected meeting.
Within a week, Zoom addressed the password attempt rate limiting issue by “requiring a user logs in to join meetings in the web client, and updating default meeting passwords to be non-numeric and longer.”