Categories: CVE/vulnerabilityCyber Security News

Zoom Flaw Let Hackers to Crack Private Meeting Passwords

A new Zoom Flaw allows hackers to crack the 6 digits numeric password that used to secure Zoom private meetings.

The vulnerability was discovered by Tom Anthony, VP Product at SearchPilot. The vulnerability resides in the Zoom web client that allowed checking passwords due to broken CSRF and no rate limiting.

Zoom Private Passwords

The vulnerability lets attackers guess any passwords by trying all possible combinations until finding the correct one. as there is no rate limit password attempts that prevent attackers from launching brute force attacks.

“This enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings.”

There was no rate limit on repeated password attempts and the only limitation is how quickly you can make HTTP requests.

“We can see we are checking about 25 passwords a second and discovered the password (in this example I knew the password so had bounded my search). I ran a similar test from a machine in AWS and checked 91k passwords in 25 minutes.”

By having distributed environments like 4-5 cloud servers the entire password space can be checked within minutes.

The important thing to note is there is no way to change the 6 digits numeric password to a longer alphanumeric password.

Also, there is a CSRF on the Privacy Terms form which made it even easier for attackers to launch the password attacks.

Tom has reported the issue to Zoom on 1st April, Upon learning of this issue on April 1st, we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations. We have since improved rate-limiting, addressed the CSRF token issues, and relaunched the web client on April 9th.

Other Zoom Flaws

A New Zoom URL Flaw Let Hackers Mimic Organization’s Invitation Link

Zoom 0day Vulnerability Let Remote Attacker to Execute Arbitrary Code on Victim’s Computer

New Zoom Flaw Let Attackers to Hack into the Systems of Participants via Chat Messages

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Leave a Comment
Share
Published by
Gurubaran
Tags: Vulnerabilityzoom vulnerability
4 years ago

Recent Posts

Zohocorp ManageEngine ADAudit Plus SQL Injection Vulnerability

Zohocorp, the company behind ManageEngine, has released a security update addressing a critical SQL injection…

8 hours ago

Citrix Virtual Apps & Desktops Zero-Day Vulnerability Exploited in the Wild

A critical new vulnerability has been discovered in Citrix’s Virtual Apps and Desktops solution, which…

8 hours ago

Sonatype Nexus Repository Manager Hit by RCE & XSS Vulnerability

Sonatype, the company behind the popular Nexus Repository Manager, has issued security advisories addressing two…

11 hours ago

GeoVision 0-Day Vulnerability Exploited in the Wild

Cybersecurity researchers have detected the active exploitation of a zero-day vulnerability in GeoVision devices, which…

12 hours ago

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…

3 days ago

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…

3 days ago