Zoom Flaw Allowed Hackers To Crack Meeting Passcodes
Zoom, a popular video conferencing platform disclosed a security issue which could allow hackers to crack private meeting passcodes and eaves drop on video conferences. The problem, which has already been fixed, stems from Zoom not having any check against repeated, incorrect meeting password attempts. The six-digit, numeric passwords protect Zoom meetings, and were added to meetings by Zoom in April as a security measure to prevent Zoom bombers from entering meetings.
The issue stems from Zoom lacking a standard principle of password security, which is to limit password attempts. Without it, a hacker could iterate over a list of passwords and then leverage Zoom's web client and continuously send HTTP requests to attempt to check all the passwords. This allows hackers to attempt all 1 million passwords in minutes and gain access to other people's private Zoom meetings.
Zoom has improved rate limiting, addressed the CSRF token issues and relaunched the web client. Zoom has been under scrutiny for its security policies since the coronavirus pandemic drove remote collaboration up. In July, a bug in the Zoom Client for Windows was disclosed, which could allow remote code-execution. And, in April, two zero-day flaws were uncovered in Zoom's macOS client version, which could have given local, hackers root privileges, and allow them to access victims' microphone and camera. Zoom quickly patched the issues upon being alerted to them.