A serious vulnerability existed in the Zoom video conferencing app that the vendor has recently patched. The flaw in the Zoom app could allow an attacker to join meetings and get access to the shared files.
Zoom Flaw Allowing Hacking Attacks
Researchers from Check Point Research have discovered a serious security flaw in the Zoom video conferencing app. The vulnerability could potentially allow an adversary to sneak into an ongoing meeting and listen to the content.
Sharing the details in a post, the researchers revealed that the problem existed with Zoom Meeting IDs. They found that the Meeting IDs simply comprised of 9, 10, or 11 digits. Thus, it was possible for an adversary to guess the Meeting IDs via a simple brute force.
Then, to check the validity of a Meeting ID, the researchers noted that the following ‘div’ element:
“for url in urls:
yield MakeHTTPRequest(url=url, callback=parseResponse)
def MakeHTTPRequest(url, callback)
…
def parseResponse(response):
if response.css('div#join-errormsg').get() is None:
print('Valid Meeting ID found: {}'.format(response.url))
else:
print('Invalid Meeting ID') As stated in their post,
We discovered a fast and easy way to check this based on the following “div” element present in the HTML Body of the returned response when accessing “Join Meeting” URL (https://zoom.us/j/{MEETING_ID})
<div id="join-errormsg" class="error"><i></i><span>Invalid meeting ID.</span></div>
Thus, anyone using this trick could join a meeting when knowing its validity. This would then allow the adversary to listen to all the conversations and access files shared during the meeting.
Highlighting the possible impact of this vulnerability and the ease of exploit, the researchers stated,
We were able to predict ~4% of randomly generated Meeting IDs, which is a very high chance of success, comparing to the pure brute force.
Zoom Patched The Vulnerability
The bug specifically worked against those Zoom Meetings that did not ask user authentication before joining. Whereas, for those with the “Require meeting password” option enabled, the glitch won’t work as the additional security check would prevent unauthorized connections.
The researchers reported the matter to Zoom authorities in July 2019. Consequently, Zoom quickly patched the bug by replacing the randomized Meeting IDs with a cryptographically strong one.
They also introduced other security features such as enabling passwords to all future scheduled meetings by default. Moreover, they won’t even notify anymore regarding the validity of a Meeting ID, causing the page to reload with every join attempt. In addition, any device detected for repeated scanning of Meeting IDs will be blocked for a certain period.
Earlier, researchers also found a bug in the Zoom app for Mac that could allow unauthorized webcam takeovers.
