31 C
Jaipur
Thursday, October 29, 2020

Zoom Flaw Let Hackers to Crack Private Meeting Passwords

Must read

iPhone 12 Pro’s Ceramic Shield Is Not as Scratch Resistant as You Might Expect

iPhone 12 series may not have changed a whole lot on the design front. The company, however, adopted a new Ceramic Shield to safeguard...

Gaming On Linux To Get Major Improvements, Thanks To Collabora

Gone are the days when people would criticize Linux for its incapability to run games. Thanks to the vast open source community, gaming on...

Call Of Duty Mobile Season 12 Expected Release Date

A few days back, Call of Duty Mobile released the Season 11 update to celebrate the game’s first anniversary. There’s a lot of amazing...

A new Zoom Flaw allows hackers to crack the 6 digits numeric password that used to secure Zoom private meetings.

The vulnerability was discovered by Tom Anthony, VP Product at SearchPilot. The vulnerability resides in the Zoom web client that allowed checking passwords due to broken CSRF and no rate limiting.

Zoom Private Passwords

The vulnerability lets attackers guess any passwords by trying all possible combinations until finding the correct one. as there is no rate limit password attempts that prevent attackers from launching brute force attacks.

“This enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings.”

There was no rate limit on repeated password attempts and the only limitation is how quickly you can make HTTP requests.

“We can see we are checking about 25 passwords a second and discovered the password (in this example I knew the password so had bounded my search). I ran a similar test from a machine in AWS and checked 91k passwords in 25 minutes.”

By having distributed environments like 4-5 cloud servers the entire password space can be checked within minutes.

The important thing to note is there is no way to change the 6 digits numeric password to a longer alphanumeric password.

Also, there is a CSRF on the Privacy Terms form which made it even easier for attackers to launch the password attacks.

Tom has reported the issue to Zoom on 1st April, Upon learning of this issue on April 1st, we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations. We have since improved rate-limiting, addressed the CSRF token issues, and relaunched the web client on April 9th.

Other Zoom Flaws

A New Zoom URL Flaw Let Hackers Mimic Organization’s Invitation Link

Zoom 0day Vulnerability Let Remote Attacker to Execute Arbitrary Code on Victim’s Computer

New Zoom Flaw Let Attackers to Hack into the Systems of Participants via Chat Messages

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Source link

- Advertisement -

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article

iPhone 12 Pro’s Ceramic Shield Is Not as Scratch Resistant as You Might Expect

iPhone 12 series may not have changed a whole lot on the design front. The company, however, adopted a new Ceramic Shield to safeguard...

Gaming On Linux To Get Major Improvements, Thanks To Collabora

Gone are the days when people would criticize Linux for its incapability to run games. Thanks to the vast open source community, gaming on...

Call Of Duty Mobile Season 12 Expected Release Date

A few days back, Call of Duty Mobile released the Season 11 update to celebrate the game’s first anniversary. There’s a lot of amazing...

10 Funniest WiFi Names You Could Possibly Think Of

When it comes to naming their WiFi, people tend to go for something simple such as “Bedroom_Wifi” or something more personal such as “Monica’s...