Saturday, April 12, 2025
Follow us On Linkedin
HomeCVE/vulnerabilityZoom Flaw Let Hackers to Crack Private Meeting Passwords

Zoom Flaw Let Hackers to Crack Private Meeting Passwords

CVE/vulnerabilityCyber Security News

Published on

By Gurubaran
Zoom Private Passwords

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

A new Zoom Flaw allows hackers to crack the 6 digits numeric password that used to secure Zoom private meetings.

The vulnerability was discovered by Tom Anthony, VP Product at SearchPilot. The vulnerability resides in the Zoom web client that allowed checking passwords due to broken CSRF and no rate limiting.

Zoom Private Passwords

The vulnerability lets attackers guess any passwords by trying all possible combinations until finding the correct one. as there is no rate limit password attempts that prevent attackers from launching brute force attacks.

- Advertisement - Google News

“This enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings.”

There was no rate limit on repeated password attempts and the only limitation is how quickly you can make HTTP requests.

“We can see we are checking about 25 passwords a second and discovered the password (in this example I knew the password so had bounded my search). I ran a similar test from a machine in AWS and checked 91k passwords in 25 minutes.”

By having distributed environments like 4-5 cloud servers the entire password space can be checked within minutes.

The important thing to note is there is no way to change the 6 digits numeric password to a longer alphanumeric password.

Also, there is a CSRF on the Privacy Terms form which made it even easier for attackers to launch the password attacks.

Tom has reported the issue to Zoom on 1st April, Upon learning of this issue on April 1st, we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations. We have since improved rate-limiting, addressed the CSRF token issues, and relaunched the web client on April 9th.

Other Zoom Flaws

A New Zoom URL Flaw Let Hackers Mimic Organization’s Invitation Link

Zoom 0day Vulnerability Let Remote Attacker to Execute Arbitrary Code on Victim’s Computer

New Zoom Flaw Let Attackers to Hack into the Systems of Participants via Chat Messages

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

cyber security

Threat Actors Leverage Email Bombing to Evade Security Tools and Conceal Malicious Activity

Threat actors are increasingly using email bombing to bypass security protocols and facilitate further...
Cyber Attack

Threat Actors Launch Active Attacks on Semiconductor Firms Using Zero-Day Exploits

Semiconductor companies, pivotal in the tech industry for their role in producing components integral...
Cyber Attack

Hackers Exploit Router Flaws in Ongoing Attacks on Enterprise Networks

Enterprises are facing heightened cyber threats as attackers increasingly target network infrastructure, particularly routers,...
cryptocurrency

Threat Actors Exploit Legitimate Crypto Packages to Deliver Malicious Code

Threat actors are using open-source software (OSS) repositories to install malicious code into trusted...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

Register Now

More like this

cyber security

Threat Actors Leverage Email Bombing to Evade Security Tools and Conceal Malicious Activity

Threat actors are increasingly using email bombing to bypass security protocols and facilitate further...
Cyber Attack

Threat Actors Launch Active Attacks on Semiconductor Firms Using Zero-Day Exploits

Semiconductor companies, pivotal in the tech industry for their role in producing components integral...
Cyber Attack

Hackers Exploit Router Flaws in Ongoing Attacks on Enterprise Networks

Enterprises are facing heightened cyber threats as attackers increasingly target network infrastructure, particularly routers,...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved