A vulnerability that Zoom addressed in its web client could have allowed an attacker to join private meetings by brute-forcing the passcode.
The Zoom video-conferencing platform has become highly popular since the COVID-19 pandemic has forced many to work from home.
As it was rising to fame, Zoom also came under heavy scrutiny from security companies and privacy advocates, which pushed it to improve the security of its users, including through implementing end-to-end encryption and through revamping its bug bounty program.
The newly disclosed issue, web developer and security researcher Tom Anthony reveals, was addressed in early April, just as security concerns regarding Zoom were being fueled by the wide adoption of the service.
Related to the lack of a limitation to the number of attempts allowed for checking the correct password for a meeting, the vulnerability could have allowed an attacker to join private meetings by simply trying all of the possible combinations.
The vulnerability was the result of a combination of factors, such as Zoom meetings being protected by default with 6-digit passcodes, no limit to the number of failed attempts to enter the correct code, and a broken cross-site request forgery (CSRF) protection in the web client.
“This enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings,” Anthony explains.
To join a Zoom meeting, users typically need to click on a link that contains the meeting ID and an auto-generated password. Should the pwd parameter be removed from the link when attempting to join using the web client, the user is provided with a login screen.
Here, an attacker able to automate the process of entering the passcode and checking whether the server has accepted it (which involves sending two separate HTTP requests), could have joined a meeting within minutes, the researcher argues.
“However, the speed is limited by how quickly you can make HTTP requests, which have a natural latency which would make cracking a password a slow process; the server side state means you have to wait for the first request to complete before you can send the second,” Anthony explains.
The researcher was able to identify a correct password after checking over 40,000 of them in approximately half an hour, but notes that the process could be much faster when running multiple threads distributed across several cloud servers.
He also points out that recurring meetings all have the same passcode, meaning that, once cracked, the code would provide ongoing access. Moreover, he discovered that it was also possible to crack the passcode for scheduled meetings.
The researcher reported the vulnerability to Zoom on April 1 and within days the company took down the web client to address the bug, which took roughly a week. He also notes he was offered the opportunity to report the issue via Zoom’s private bug bounty program, to receive a monetary reward.
“Upon learning of this issue on April 1st, we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations. We have since improved rate limiting, addressed the CSRF token issues and relaunched the web client on April 9th. With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild. We thank Tom Anthony for bringing this issue to our attention. If you think you’ve found a security issue with Zoom products, please send a detailed report to security@zoom.us,” a Zoom spokesperson told SecurityWeek.
Related: Zoom Working on Patch for Code Execution Vulnerability in Windows Client
Related: Zoom Got Big Fast. Then Videobombers Made It Rework Security
Related: Vulnerability Allowed Attackers to Join Zoom Meetings