security flaw that could have allowed potential attackers to crack
the numeric passcode used to secure private meetings on the
platform and snoop on participants.
Zoom meetings are by default protected by a six-digit numeric
password, but according to Tom Anthony, VP Product at SearchPilot
who identified the issue[1], the lack of rate
limiting enabled “an attacker to attempt all 1 million passwords in
a matter of minutes and gain access to other people’s private
(password protected) Zoom meetings.”
It’s worth noting that Zoom began requiring a passcode for all meetings
back in April as a
preventive measure to combat Zoom-bombing attacks, which refers to
the act of disrupting and hijacking Zoom meetings uninvited to
share obscene and racist content.
[2][3]
Anthony reported the security issue to the company on April 1,
2020, along with a Python-based proof-of-concept script, a week
after Zoom patched the flaw on April 9.
The fact that meetings were, by default, secured by a six-digit
code meant there could be only a maximum of one million
passwords.
But in the absence of no checks for repeated incorrect password
attempts, an attacker can leverage Zoom’s web client
(https://zoom.us/j/MEETING_ID) to continuously send HTTP requests
to try all the one million combinations.
“With improved threading, and distributing across 4-5 cloud
servers you could check the entire password space within a few
minutes,” Anthony said.
The attack worked with recurring meetings, implying that bad
actors could have had access to the ongoing meetings once the
passcode was cracked.
The researcher also found that the same procedure could be
repeated even with scheduled meetings, which have the option to
override the default passcode with a longer alphanumeric variant,
and run it against a list of top 10 million passwords to
brute-force a login.
Separately, an issue was uncovered during the sign-in process
using the web client, which employed a temporary redirect to seek
customers’ consent to its terms of service and privacy
policy.
“There was a CSRF HTTP header sent during this step, but if you
omitted it then the request still seemed to just work fine anyway,”
Anthony said. “The failure on the CSRF token made it even easier to
abuse than it would be otherwise, but fixing that wouldn’t provide
much protection against this attack.”
Following the findings, Zoom took the web client offline to
mitigate the issues on April 2 before issuing a fix a week
later.
The video conferencing platform, which drew scrutiny for a
number
of security issues[4]
as its usage soared during the coronavirus pandemic, has quickly
patched the flaws as they were uncovered, even going to the extent
of announcing a 90-day freeze on releasing new features to “better
identify, address, and fix issues proactively.”
Just earlier this month, the company addressed a zero-day
vulnerability[5]
in its Windows app that could allow an attacker to execute
arbitrary code on a victim’s computer running Windows 7 or
older.
It also fixed a separate
flaw[6] that could have allowed
attackers to mimic an organization and trick its employees or
business partners into revealing personal or other confidential
information via social engineering attacks.
References
- ^
identified the issue
(www.tomanthony.co.uk) - ^
requiring a passcode
(support.zoom.us) - ^
back in April
(support.zoom.us) - ^
number of security issues
(thehackernews.com) - ^
zero-day vulnerability
(thehackernews.com) - ^
separate flaw
(thehackernews.com)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/H9DhJM3q_Ho/zoom-meeting-password-hacking.html