Thursday, April 18, 2024

Zoom Flaw Let Hackers to Crack Private Meeting Passwords

By Guru baran

Zoom Private Passwords

A new Zoom Flaw allows hackers to crack the 6 digits numeric password that used to secure Zoom private meetings.

The vulnerability was discovered by Tom Anthony, VP Product at SearchPilot. The vulnerability resides in the Zoom web client that allowed checking passwords due to broken CSRF and no rate limiting.

Zoom Private Passwords

The vulnerability lets attackers guess any passwords by trying all possible combinations until finding the correct one. as there is no rate limit password attempts that prevent attackers from launching brute force attacks.

“This enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings.”

There was no rate limit on repeated password attempts and the only limitation is how quickly you can make HTTP requests.

“We can see we are checking about 25 passwords a second and discovered the password (in this example I knew the password so had bounded my search). I ran a similar test from a machine in AWS and checked 91k passwords in 25 minutes.”

By having distributed environments like 4-5 cloud servers the entire password space can be checked within minutes.

The important thing to note is there is no way to change the 6 digits numeric password to a longer alphanumeric password.

Also, there is a CSRF on the Privacy Terms form which made it even easier for attackers to launch the password attacks.

Tom has reported the issue to Zoom on 1st April, Upon learning of this issue on April 1st, we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations. We have since improved rate-limiting, addressed the CSRF token issues, and relaunched the web client on April 9th.

Other Zoom Flaws

A New Zoom URL Flaw Let Hackers Mimic Organization’s Invitation Link

Zoom 0day Vulnerability Let Remote Attacker to Execute Arbitrary Code on Victim’s Computer

New Zoom Flaw Let Attackers to Hack into the Systems of Participants via Chat Messages

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Managed WAF Protection

Website

Latest articles

Cyber Attack

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a...
cyber security

Cerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Security researchers at Cado Security Labs have uncovered a new variant of the Cerber...
CVE/vulnerability

FGVulDet – New Vulnerability Detector to Analyze Source Code

Detecting source code vulnerabilities aims to protect software systems from attacks by identifying inherent...
Cyber Crime

North Korean Hackers Abuse DMARC To Legitimize Their Emails

DMARC is targeted by hackers as this serves to act as a preventative measure...
Cyber Security News

L00KUPRU Ransomware Attackers discovered in the wild

A new variant of the Xorist ransomware, dubbed L00KUPRU, has been discovered in the...
Computer Security

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...
cyber security

Outlook Login Panel Themed Phishing Attack Evaded All Antivirus Detections

Cybersecurity researchers have uncovered a new phishing attack that has bypassed all antivirus detections.The...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

WAAP/WAF ROI Analysis

Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

    • Book Your Spot

Related Articles

Connect with GBHackers On Security

Join 70,000 Security Professionals

Stay safe online with free daily cybersecurity updates. Sign up now!

GBHackers on security is a highly informative and reliable Cyber Security News platform that provides the latest and most relevant updates on Cyber Security News, Hacking News, Technology advancements, and Kali Linux tutorials on a daily basis. The platform is dedicated to keeping the community well-informed and up-to-date with the constantly evolving Cyber World.

Menu

Contact US:

Email : [email protected]