No Limit On Password Attempts Exposed Zoom Private Meetings To Cyber Attacks

Once again, a Zoom vulnerability has surfaced online that exposed Private Meetings to snoopers. The bug existed because Zoom didn’t put any limit on the number of password attempts to enter a meeting.

Zoom Private Meetings Exposed To Attacks

Reportedly, Tom Anthony, VP SearchPilots, found a serious vulnerability in the Zoom video conferencing platform. He found that the flaw in the Zoom Web Client exposed Private Meetings to intruders.

Sharing the details in a blog post, he revealed that the bug existed because of unlimited password attempts. That is, Zoom did not implement any specified number limit on the password attempts made to enter a meeting.

This potentially exposed Private Meetings as anyone could enter them simply by bruteforcing passwords.

As a standard, Zoom implements a 6-digit numeric password to enter a Private Meeting. It means it potentially allows only 1 million passwords. This lacking, together with no limit on password attempts and broken CSRF allowed anyone to break into a Meeting within 1 minute.

As stated in his post,

There was a lack of rate limiting on the central mechanism of the platform, which combined with a poor default password system and faulty CSRF meant that meetings were really not secure.

Since the bug already existed, and given that many high-profile accounts (including UK PM Boris Johnson) publicly shared their Zoom Meeting screenshots (with Meeting IDs) to promote online communication, the researcher feared that people might already have exploited this flaw.

This also raises the troubling question as to whether others were potentially already using this vulnerability to listen in to other people’s calls (e.g. the UK Cabinet Meeting!).

Zoom Patched The Vulnerability

Tom discovered this vulnerability back in April 2020. He immediately reached out to Zoom to report the matter. Eventually, Zoom patched the vulnerability within a week from his bug report. So now, the patch is already out and this flaw no work exists.

Zoom has also confirmed the bug and the subsequent patch in an official statement.

Upon learning of this issue on April 1st, we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations. We have since improved rate limiting, addressed the CSRF token issues and relaunched the web client on April 9th. With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild. We thank Tom Anthony for bringing this issue to our attention.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients