Connect with us

Hi, what are you looking for?



Vulnerability Allowed Brute-Forcing Passwords of Private Zoom Meetings

A vulnerability that Zoom addressed in its web client could have allowed an attacker to join private meetings by brute-forcing the passcode.

The Zoom video-conferencing platform has become highly popular since the COVID-19 pandemic has forced many to work from home.

A vulnerability that Zoom addressed in its web client could have allowed an attacker to join private meetings by brute-forcing the passcode.

The Zoom video-conferencing platform has become highly popular since the COVID-19 pandemic has forced many to work from home.

As it was rising to fame, Zoom also came under heavy scrutiny from security companies and privacy advocates, which pushed it to improve the security of its users, including through implementing end-to-end encryption and through revamping its bug bounty program.

The newly disclosed issue, web developer and security researcher Tom Anthony reveals, was addressed in early April, just as security concerns regarding Zoom were being fueled by the wide adoption of the service.

Related to the lack of a limitation to the number of attempts allowed for checking the correct password for a meeting, the vulnerability could have allowed an attacker to join private meetings by simply trying all of the possible combinations.

The vulnerability was the result of a combination of factors, such as Zoom meetings being protected by default with 6-digit passcodes, no limit to the number of failed attempts to enter the correct code, and a broken cross-site request forgery (CSRF) protection in the web client.

“This enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings,” Anthony explains.

Advertisement. Scroll to continue reading.

To join a Zoom meeting, users typically need to click on a link that contains the meeting ID and an auto-generated password. Should the pwd parameter be removed from the link when attempting to join using the web client, the user is provided with a login screen.

Here, an attacker able to automate the process of entering the passcode and checking whether the server has accepted it (which involves sending two separate HTTP requests), could have joined a meeting within minutes, the researcher argues.

“However, the speed is limited by how quickly you can make HTTP requests, which have a natural latency which would make cracking a password a slow process; the server side state means you have to wait for the first request to complete before you can send the second,” Anthony explains.

The researcher was able to identify a correct password after checking over 40,000 of them in approximately half an hour, but notes that the process could be much faster when running multiple threads distributed across several cloud servers.

He also points out that recurring meetings all have the same passcode, meaning that, once cracked, the code would provide ongoing access. Moreover, he discovered that it was also possible to crack the passcode for scheduled meetings.

The researcher reported the vulnerability to Zoom on April 1 and within days the company took down the web client to address the bug, which took roughly a week. He also notes he was offered the opportunity to report the issue via Zoom’s private bug bounty program, to receive a monetary reward.

“Upon learning of this issue on April 1st, we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations. We have since improved rate limiting, addressed the CSRF token issues and relaunched the web client on April 9th. With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild. We thank Tom Anthony for bringing this issue to our attention. If you think you’ve found a security issue with Zoom products, please send a detailed report to [email protected],” a Zoom spokesperson told SecurityWeek.

Related: Zoom Working on Patch for Code Execution Vulnerability in Windows Client

Related: Zoom Got Big Fast. Then Videobombers Made It Rework Security

Related: Vulnerability Allowed Attackers to Join Zoom Meetings

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.