A flaw in the Zoom web client was allowing attackers to guess meeting passwords and possibly listen in on private calls. This was all due to the fact that there was no limit on password guessing attempts and the password was simply six digits, which means there were one million possible passwords. Tom Anthony, VP of Product at SearchPilot who is credited with discovering the vulnerability stated, “This enables an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings.” He was able to access a private meeting within 25 minutes after using an AWS machine to check approximately 91,000 passwords. A Python proof-of-concept along with the news of the web client flaw were provided to Zoom on April 1st, 2020 by Anthony. Zoom took action on April 2nd, and the issue was resolved withing a week. A statement was provided by Zoom, “Upon learning of this issue on April 1st, we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations. We have since improved rate limiting, addressed the CSRF token issues and relaunched the web client on April 9th. With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild. We thank Tom Anthony for bringing this issue to our attention. If you think you’ve found a security issue with Zoom products, please send a detailed report to firstname.lastname@example.org.”
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.