iTnews

Zoom private meeting passwords were easily crackable

By Juha Saarinen on Jul 31, 2020 9:44AM
Zoom private meeting passwords were easily crackable

Did not rate limit low-complexity password guesses.

The automatically generated passwords protecting private Zoom meetings could be cracked with relative ease, allowing access to sensitive conferences, a researcher has discovered.

Web site developer Tom Anthony decided on March 31 this year to see if he could crack the password for private Zoom meetings.

This followed the Prime Minister of Britain Boris Johnson chairing the first ever digital cabinet meeting during the COVID-19 pandemic, posting a screenshot of the event on Twitter.

Anthony was among several who noticed that the screenshot had the Zoom meeting identifier visible.

Apart from the meeting ID, the link for the meeting also contained an automatically generated six digit hashed password, Anthony noticed. 

The six digits meant a maximum of one million passwords, a low number of possiblities that could be brute-forced guessed within a few minutes using four to five cloud servers to do the work, Anthony wrote.

Making the matter worse, Zoom had not put a rate limit on repeated password guesses, and Anthony also discovered other issues that made the attack work on scheduled meetings as well.

It is possible to change the default, six-digit password but only for scheduled Zoom meetings and not for spontaneous ones.

Zoom users appear unlikely to have changed the default six-digit numeric password to one with the maximum ten characters allowed, which could be alphanumeric, opening up the possiblity eavesdropping of conferences with relative ease.

Anthony speculated that he wasn't the first to have discovered the flaw, since there was user called "iPhone" with camera and microphone turned off in the UK PM's cabinet Zoom call.

Zoom was quick to address the vulnerability, by adding rate limiting and improving the poor password system in the first week of April after Anthony reported the flaw to the company on the first of the month.

“Upon learning of this issue on April 1, we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations," a Zoom spokesperson said.

"We have since improved rate limiting, addressed the CSRF token issues and relaunched the web client on April 9.

"With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild.

"We thank Tom Anthony for bringing this issue to our attention. If you think you’ve found a security issue with Zoom products, please send a detailed report to security@zoom.us."

The video conferencing company shot to popularity with hundreds of millions of users as the COVID-19 pandemic made meetings in person impossible, but has been sharply criticised for poor security.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
security tom anthony zoom

Partner Content

Tackling cybersecurity in 2021
Partner Content Tackling cybersecurity in 2021
Putting cyber security basics in place
Partner Content Putting cyber security basics in place
Setting a path to self-funded mainframe-to-cloud modernisation with Micro Focus
Promoted Content Setting a path to self-funded mainframe-to-cloud modernisation with Micro Focus
COVID puts agile IT under the microscope
Promoted Content COVID puts agile IT under the microscope

Sponsored Whitepapers

The top 5 tech trends to deliver business outcomes
The top 5 tech trends to deliver business outcomes
10 reasons why businesses need to invest in cloud security training
10 reasons why businesses need to invest in cloud security training
Your guide to application security solutions
Your guide to application security solutions
State of Software Security: Open Source Edition
State of Software Security: Open Source Edition
Five questions to ask before you upgrade to a SIEM solution
Five questions to ask before you upgrade to a SIEM solution

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • [iTnews and Micro Focus] Navigating the cloud modernisation minefield
By Juha Saarinen
Jul 31 2020
9:44AM
0 Comments

Related Articles

  • Zoom to enhance security as part of proposed US settlement with FTC
  • Zoom to preview free end-to-end encryption for meetings
  • Zoom taps former Salesforce executive as CISO
  • Zoom to offer free users end-to-end encryption after all
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Infosys scores another $40m for Centrelink payments engine build

Infosys scores another $40m for Centrelink payments engine build

TPG Telecom to start enticing NBN customers to move

TPG Telecom to start enticing NBN customers to move

Bosch, Microsoft join forces to develop vehicle software platform

Bosch, Microsoft join forces to develop vehicle software platform

Telstra InfraCo opens up telco's own fibre network

Telstra InfraCo opens up telco's own fibre network

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.