A simple vulnerability found in the web client of video conferencing (opens in new tab) platform Zoom (opens in new tab) could have allowed hackers to listen in on any private meeting of their choosing.
Identified by Tom Anthony, VP Product at SEO firm SearchPilot, the Zoom vulnerability stemmed from the absence of rate limiting on private meeting log in attempts.
As Anthony explains in a recent blog post (opens in new tab), Zoom meetings used to be protected by a 6-digit numeric password, making for a maximum of one million different permutations. This might sound like a considerable number but, using a simple Python program, a hacker could easily trial all possible passwords (opens in new tab) and brute force their way into any meeting in minutes.
- Check out our list of the best productivity software (opens in new tab) on the market
- Working from home (opens in new tab): the mouse, monitor, keyboard and router you need
- Here's our list of the best project management (opens in new tab) software out there
Meetings set to take place at regular intervals were particularly vulnerable to attack, since the password remains the same for each batch-scheduled meeting.
Zoom has experienced a sharp uptick in user numbers in recent months and currently serves over 300 million daily meeting participants.
Having rocketed into public consciousness as a result of coronavirus lockdown measures and the rise of remote working, Zoom has faced significant scrutiny where security is concerned.
Since March, researchers have uncovered a litany of vulnerabilities in the service - from the opportunity for credential theft to app hijacking, malicious code injection and more - forcing the company to suspend product development for a period to focus on eliminating security bugs.
After verifying the brute force exploit using a crude Python (opens in new tab) program running on an AWS machine, Anthony disclosed the vulnerability on April 1, which led to the suspension of the Zoom web client on April 2 - an outage that lasted one week.
During this time, Zoom implemented policy that required web client users to log into an account before joining a meeting. The company also made default passwords longer and included non-numeric characters, drastically increasing the number of possible password permutations.
“We have since improved rate limiting and relaunched the web client on April 9. With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild,” Zoom explained in a statement.
As Anthony notes, however, it is plausible an attacker might have infiltrated a Zoom meeting by this vector without alerting the other participants, hidden behind a generic user ID such as “iPhone” or “Home PC”.
- Here's our list of the best collaboration tools (opens in new tab) on the market
Via Bleeping Computer (opens in new tab)