A flaw in the Zoom web client was allowing attackers to guess meeting passwords and possibly listen in on private calls. This was all due to the fact that there was no limit on password guessing attempts and the password was simply six digits, which means there were one million possible passwords. Tom Anthony, VP of Product at SearchPilot who is credited with discovering the vulnerability stated, “This enables an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings.” He was able to access a private meeting within 25 minutes after using an AWS machine to check approximately 91,000 passwords. A Python proof-of-concept along with the news of the web client flaw were provided to Zoom on April 1st, 2020 by Anthony. Zoom took action on April 2nd, and the issue was resolved withing a week. A statement was provided by Zoom, “Upon learning of this issue on April 1st, we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations. We have since improved rate limiting, addressed the CSRF token issues and relaunched the web client on April 9th. With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild. We thank Tom Anthony for bringing this issue to our attention. If you think you’ve found a security issue with Zoom products, please send a detailed report to [email protected].”
Prior to this issue being fixed, it was quite easy to access a private meeting, even one that required a password, but when using Zoom, it is always safer to require a password than to not have one at all. Now that this issue has been resolved, it should be much more difficult for potential eavesdroppers to gain access to private meetings. Always pay attention to the list of people connected to online meetings, especially if an extra caller joins without saying anything. For the most sensitive discussions, it is safest to use a conference solution hosted on a private server that is controlled by one of the parties involved in the call. Access to the conference call should be protected with multi-factor authentication and the voice and video streams should be end-to-end encrypted when possible.