iTnews
  • Home
  • News
  • Technology
  • Security

Zoom private meeting passwords were easily crackable

By Juha Saarinen on Jul 31, 2020 9:44AM
Zoom private meeting passwords were easily crackable

Did not rate limit low-complexity password guesses.

The automatically generated passwords protecting private Zoom meetings could be cracked with relative ease, allowing access to sensitive conferences, a researcher has discovered.

Web site developer Tom Anthony decided on March 31 this year to see if he could crack the password for private Zoom meetings.

This followed the Prime Minister of Britain Boris Johnson chairing the first ever digital cabinet meeting during the COVID-19 pandemic, posting a screenshot of the event on Twitter.

Anthony was among several who noticed that the screenshot had the Zoom meeting identifier visible.

Apart from the meeting ID, the link for the meeting also contained an automatically generated six digit hashed password, Anthony noticed. 

The six digits meant a maximum of one million passwords, a low number of possiblities that could be brute-forced guessed within a few minutes using four to five cloud servers to do the work, Anthony wrote.

Making the matter worse, Zoom had not put a rate limit on repeated password guesses, and Anthony also discovered other issues that made the attack work on scheduled meetings as well.

It is possible to change the default, six-digit password but only for scheduled Zoom meetings and not for spontaneous ones.

Zoom users appear unlikely to have changed the default six-digit numeric password to one with the maximum ten characters allowed, which could be alphanumeric, opening up the possiblity eavesdropping of conferences with relative ease.

Anthony speculated that he wasn't the first to have discovered the flaw, since there was user called "iPhone" with camera and microphone turned off in the UK PM's cabinet Zoom call.

Zoom was quick to address the vulnerability, by adding rate limiting and improving the poor password system in the first week of April after Anthony reported the flaw to the company on the first of the month.

“Upon learning of this issue on April 1, we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations," a Zoom spokesperson said.

"We have since improved rate limiting, addressed the CSRF token issues and relaunched the web client on April 9.

"With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild.

"We thank Tom Anthony for bringing this issue to our attention. If you think you’ve found a security issue with Zoom products, please send a detailed report to security@zoom.us."

The video conferencing company shot to popularity with hundreds of millions of users as the COVID-19 pandemic made meetings in person impossible, but has been sharply criticised for poor security.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
securitytom anthonyzoom

Partner Content

Why Genworth Australia embraced low-code software development
Promoted Content Why Genworth Australia embraced low-code software development
How to turn digital complexity into competitive advantage
Promoted Content How to turn digital complexity into competitive advantage
Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Promoted Content Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations

Sponsored Whitepapers

Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership

Events

  • Micro Focus Information Management & Governance (IM&G) Forum 2022
  • CRN Channel Meets: CyberSecurity Live Event
  • IoT Insights: Secure By Design for manufacturing
  • Cyber Security for Government Summit
By Juha Saarinen
Jul 31 2020
9:44AM
0 Comments

Related Articles

  • Videoconferencing apps can access muted mics
  • Routing security falling short in Australian, New Zealand networks
  • Uber ex-security chief must face fraud charges
  • Crypto crash threatens North Korea's stolen funds
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Qantas calls time on IBM, Fujitsu in tech modernisation

Qantas calls time on IBM, Fujitsu in tech modernisation

Service NSW hits digital services goal two years early

Service NSW hits digital services goal two years early

NBN Co taking orders for 'non-premises' connections

NBN Co taking orders for 'non-premises' connections

Australian scientists build world's first quantum computer IC

Australian scientists build world's first quantum computer IC

Digital Nation

Integrity, ethics and board decisions in the digital age
Integrity, ethics and board decisions in the digital age
COVER STORY: Operationalising net zero through the power of IoT
COVER STORY: Operationalising net zero through the power of IoT
The security threat of quantum computing
The security threat of quantum computing
Crypto experts optimistic about future of Bitcoin: Block
Crypto experts optimistic about future of Bitcoin: Block
IBM global chief data officer on the rise of the number crunchers
IBM global chief data officer on the rise of the number crunchers
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.