The automatically generated passwords protecting private Zoom meetings could be cracked with relative ease, allowing access to sensitive conferences, a researcher has discovered.
Web site developer Tom Anthony decided on March 31 this year to see if he could crack the password for private Zoom meetings.
This followed the Prime Minister of Britain Boris Johnson chairing the first ever digital cabinet meeting during the COVID-19 pandemic, posting a screenshot of the event on Twitter.
Anthony was among several who noticed that the screenshot had the Zoom meeting identifier visible.
Apart from the meeting ID, the link for the meeting also contained an automatically generated six digit hashed password, Anthony noticed.
The six digits meant a maximum of one million passwords, a low number of possiblities that could be brute-forced guessed within a few minutes using four to five cloud servers to do the work, Anthony wrote.
Making the matter worse, Zoom had not put a rate limit on repeated password guesses, and Anthony also discovered other issues that made the attack work on scheduled meetings as well.
It is possible to change the default, six-digit password but only for scheduled Zoom meetings and not for spontaneous ones.
Zoom users appear unlikely to have changed the default six-digit numeric password to one with the maximum ten characters allowed, which could be alphanumeric, opening up the possiblity eavesdropping of conferences with relative ease.
Anthony speculated that he wasn't the first to have discovered the flaw, since there was user called "iPhone" with camera and microphone turned off in the UK PM's cabinet Zoom call.
Zoom was quick to address the vulnerability, by adding rate limiting and improving the poor password system in the first week of April after Anthony reported the flaw to the company on the first of the month.
“Upon learning of this issue on April 1, we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations," a Zoom spokesperson said.
"We have since improved rate limiting, addressed the CSRF token issues and relaunched the web client on April 9.
"With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild.
"We thank Tom Anthony for bringing this issue to our attention. If you think you’ve found a security issue with Zoom products, please send a detailed report to firstname.lastname@example.org."
The video conferencing company shot to popularity with hundreds of millions of users as the COVID-19 pandemic made meetings in person impossible, but has been sharply criticised for poor security.