Zoom web client flaw could’ve let hackers crack meetings passcode

The vulnerability, if exploited, would have affected millions of Zoom users worldwide.

The vulnerability, if exploited, would have affected millions of Zoom users – There are more than 13 million Zoom users worldwide.

A majority of people are forced to work from home in the wake of the COVID-19 pandemic-led lockdown worldwide. This prompted an unprecedented increase in the use of video conferencing apps like Zoom and Microsoft Teams.

As more and more people are turning to Zoom and using it regularly, the app’s security issues are getting highlighted as well. One such flaw was identified recently that could have let an attacker decode the numeric passcode using which people could conduct private meetings securely.

Online Jewish service 'Zoom bombed' with hate speech & Swastikas
One of the Zoom meetings in which hackers yelled profanities and projected x-rated images on-screen during the Valley Transportation Authority Board of Directors’ video meeting in April 2020.

It is worth noting that Zoom introduced the passcode requirement back in April to provide a secure environment for holding private meetings and prevent the risk of Zoom-bombing. Since April, Zoom meetings, by default, are protected by a 6-digit numeric passcode.

According to the findings of SearhPilot’s VP Product, Tom Anthony, due to a vulnerability in Zoom web client, an attacker can gain access to password-protected private meetings of Zoom users. This can be possible if the attacker tries all the 1 million passwords, which can be done within mere minutes. 

“With improved threading, and distributing across 4-5 cloud servers you could check the entire password space within a few minutes,” Anthony revealed.

The attacker can exploit Zoom’s web client and repeatedly send HTTP requests since it hasn’t enabled any checks on repetitive incorrect password attempts. As soon as the passcode is cracked, a hacker can access ongoing meetings.  

Moreover, the same process can help in accessing scheduled meetings. Since hackers don’t need to go through all the one million passcodes, it may not take very long to crack the passwords. Another point raised by Anthony is that Zoom’s Personal Meeting IDs always have the same passcode. Therefore, hackers only need to crack their password once to enjoy permanent access to future sessions. 

Anthony used an AWS machine to demonstrate how easy it was to obtain a meeting’s passcode to prove his point. He managed to crack the password within 25 minutes after checking 91,000 passcodes.

This occurs because of the “lack of rate-limiting” on repeated password attempts. The issue was reported to Zoom by Anthony on 1 April 2020, and the company fixed it by 9 April. Afterward, Anthony sent a Python-based PoC (proof-of-concept) to the company. 

See: ‘Zoom account suspended’ phishing scam aims at Office 365 credentials

Anthony identified another issue while signing in to the website via the web client. The process requires a temporary redirection to ask for customers’ consent to Zoom’s privacy policy and service terms. If the CSRF HTTP header, which should be sent during this process, is omitted, the request still works the same way. This, according to Anthony, means the CSRF token doesn’t function as required, and an attacker can easily exploit it as fixing it won’t solve the issue.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

Related Posts