Recently revised six-number password default exposed by failure to throttle guesses
Zoom has resolved a serious security oversight that created a means for miscreants to crack private meeting passwords and eavesdrop on video conferencing sessions.
UK-based website developer turned security researcher Tom Anthony discovered that private meetings on Zoom were only protected by a six-digit numeric password, leaving one million possible combinations.
This, when combined with vulnerabilities in the Zoom web client that allowed attackers to check if a password was correct, created a means to run a brute-force attack in order to guess the password of a private meeting.
‘Matter of minutes’
A brute-force attack was only possible because of a lack of rate limiting of repeated password attempts combined with a cross-site request forgery (CSRF) issue involving a token on the privacy terms form.
Before the problem was resolved an attacker might have been able to attempt all one million passwords in a “matter of minutes” and gain access to other people’s private (password protected) Zoom meetings, according to Anthony.
This was possible because with a little ingenuity and coding nous, multiple password requests could be run in parallel.
The initial version of Anthony’s attack could only be run once a meeting had started. He later refined the attack so that it was possible to crack scheduled meetings too, because the DOM for un-started meetings indicated whether the password was correct versus incorrect.
The security researcher reported the issue to Zoom, which responded promptly by taking the web client offline and fixing the problem.
“This was my first research with Zoom, but I since got a couple of bounties from them for other (less exciting) issues I reported,” Anthony told The Daily Swig.
Cracking the code
“I got interested in Zoom because of the news about the cabinet meeting, and the fact I spotted an anonymous user was connected,” he told The Daily Swig.
“Given the Zoom meeting ID was in the screenshot I was interested in how hard would it really be to crack the password, especially given they are so short.”
Anthony went public with his findings by publishing a technical write-up earlier this week.
‘No evidence of abuse’
In response to a query from The Daily Swig, Zoom explained how it resolved the issue and stated it had no evidence of any abuse before the security problem was resolved.
“Upon learning of this issue on April 1st, we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations,” a company spokesperson said.
“We have since improved rate limiting, addressed the CSRF token issues and relaunched the web client on April 9th.”
“With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild. We thank Tom Anthony for bringing this issue to our attention.”
The researcher added that he hadn’t looked into the security of alternative video conferencing platforms, so he was unable to offer a comparison between Zoom and rivals such as Jitsi and Microsoft Meet.
“I can't answer about alternative platforms, but I note Zoom has been getting a lot more scrutiny,” he explained.