A new Zoom Flaw allows hackers to crack the 6 digits numeric password that used to secure Zoom private meetings.
The vulnerability was discovered by Tom Anthony, VP Product at SearchPilot. The vulnerability resides in the Zoom web client that allowed checking passwords due to broken CSRF and no rate limiting.
Zoom Private Passwords
The vulnerability lets attackers guess any passwords by trying all possible combinations until finding the correct one. as there is no rate limit password attempts that prevent attackers from launching brute force attacks.
“This enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings.”
There was no rate limit on repeated password attempts and the only limitation is how quickly you can make HTTP requests.
“We can see we are checking about 25 passwords a second and discovered the password (in this example I knew the password so had bounded my search). I ran a similar test from a machine in AWS and checked 91k passwords in 25 minutes.”
By having distributed environments like 4-5 cloud servers the entire password space can be checked within minutes.
The important thing to note is there is no way to change the 6 digits numeric password to a longer alphanumeric password.
Also, there is a CSRF on the Privacy Terms form which made it even easier for attackers to launch the password attacks.
Tom has reported the issue to Zoom on 1st April, Upon learning of this issue on April 1st, we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations. We have since improved rate-limiting, addressed the CSRF token issues, and relaunched the web client on April 9th.
Other Zoom Flaws
A New Zoom URL Flaw Let Hackers Mimic Organization’s Invitation Link
Zoom 0day Vulnerability Let Remote Attacker to Execute Arbitrary Code on Victim’s Computer
New Zoom Flaw Let Attackers to Hack into the Systems of Participants via Chat Messages