A small bug has been identified by Tom Anthony, VP Product at SEO firm SearchPilot which can easily let hackers join your private meetings and listen to all your conversations.
Zoom has seen a huge outburst in the market since the lockdown. The numbers have raised from 10million to 300million users. With more users, you must be at your best in providing security and privacy to all your users. Zoom technicians and engineers are trying their best but a small bug has been exposed by Tom Anthony.
He states that the password meetings are 6 digit long combination of numbers. This means a million possibilities. This number may sound huge but for the modern processors and technology, it is a matter of minutes to break down the password. There is also no limit on the number of login attempts in a meeting. He said that “I spent time reverse-engineering the endpoints for the web client Zoom provide. I was able to iterate over all possible default passwords to discover the password for a given private meeting.”
Breaking down 2-8 digits of the numeric password is very easy with a python script. The method of trying out all the possible combinations and getting one right is called a brute-force method.
He found trivially easy to bypass Zoom’s cross-site request forgery (CSRF) prevention.
On his own machine, it would require around 10 hours to run through all the possible combinations but with improved threading, and distributing across 4-5 cloud servers, you could check the entire password space within a few minutes. This would be fairly simple to do.
Zoom quickly noticed this issue raised by Anthony and came out with a huge update. They limited the rate of attempts and also changed the password combination from numeric to alphanumeric. The site was down for one week. 2nd April-9th April.
The number of possible combinations increases drastically in alphanumeric passwords. The update also has various new features.
“We are not aware of any instances of this exploit being used in the wild,” a Zoom spokesperson said. ”
However, it is plausible an attacker might have infiltrated a Zoom meeting by this vector without alerting the other participants. Hidden behind a generic user ID such as “iPhone” or “Home PC”.