The coronavirus pandemic has seen a rise in the use of Zoom but the company has been struggling to maintain user privacy. The company, however, has faced a lot of backlash for not taking customer privacy seriously which forced the company to freeze feature releases for 90-days to patch the never-ending list of vulnerabilities. In early April, we reported how the users’ credentials were sold by hackers on the dark web. In late April, the company has released a new update to address the security issues.
Today, Tom Anthony, a security researcher, published a crucial security vulnerability in Zoom. With this exploit, anyone can join a password protected Zoom meeting. Zoom meetings are protected by a 6 digit numeric password by default. So, there is a possibility of 1 million different passwords. Tom found that the Zoom web client allowed anyone to check if a password is correct for a meeting without any limit on no.of attempts. So, an attacker can write a small Python code to try all the 1 million passwords and find the correct password in a few minutes.
After Tom reported this issue to Zoom, the Zoom web client went offline. Zoom mitigated the issue by both requiring a user log in to join meetings in the web client and also updating the default meeting passwords to be non-numeric and longer. Even though the issue is now fixed, it raises the following troubling question.
Whether attackers were already using this vulnerability to listen in to other people’s calls (e.g. the government meetings).
Update: Zoom spokesperson gave the following statement regarding the security issue.
“Upon learning of this issue on April 1st, we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations. We have since improved rate limiting, addressed the CSRF token issues and relaunched the web client on April 9th. With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild. We thank Tom Anthony for bringing this issue to our attention. If you think you’ve found a security issue with Zoom products, please send a detailed report to email@example.com.”
Source: Tom Anthony