KALI

Zoom Flaw Let Hackers to Crack Private Meeting Passwords

A new Zoom Flaw allows hackers to crack the 6 digits numeric password that used to secure Zoom private meetings.

The vulnerability was discovered by Tom Anthony, VP Product at SearchPilot. The vulnerability resides in the Zoom web client that allowed checking passwords due to broken CSRF and no rate limiting.

Zoom Private Passwords

The vulnerability lets attackers guess any passwords by trying all possible combinations until finding the correct one. as there is no rate limit password attempts that prevent attackers from launching brute force attacks.

“This enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings.”

There was no rate limit on repeated password attempts and the only limitation is how quickly you can make HTTP requests.

“We can see we are checking about 25 passwords a second and discovered the password (in this example I knew the password so had bounded my search). I ran a similar test from a machine in AWS and checked 91k passwords in 25 minutes.”

By having distributed environments like 4-5 cloud servers the entire password space can be checked within minutes.

The important thing to note is there is no way to change the 6 digits numeric password to a longer alphanumeric password.

Also, there is a CSRF on the Privacy Terms form which made it even easier for attackers to launch the password attacks.

Tom has reported the issue to Zoom on 1st April, Upon learning of this issue on April 1st, we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations. We have since improved rate-limiting, addressed the CSRF token issues, and relaunched the web client on April 9th.

Other Zoom Flaws

A New Zoom URL Flaw Let Hackers Mimic Organization’s Invitation Link

Zoom 0day Vulnerability Let Remote Attacker to Execute Arbitrary Code on Victim’s Computer

New Zoom Flaw Let Attackers to Hack into the Systems of Participants via Chat Messages

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Tags: Vulnerabilityzoom vulnerability
4 years ago
Guru baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Leave a Comment

Related Post

Recent Posts

Redline Malware Using Lua Bytecode to Challenge the SOC/TI Team to Detect

The first instance of Redline using such a method is in a new variant of Redline Stealer malware that McAfee…

10 hours ago

Threat Actor Claims Selling of Dell Database with 49M User Records

A threat actor reportedly sells a database containing 49 million user records from Dell, one of the world's leading technology…

14 hours ago

Google Blocks 2.28M Malicious Apps Entering The Play Store

A safe and trusted Google Play experience is our top priority. We leverage our SAFE (see below) principles to provide…

15 hours ago

LightSpy Malware Actively Targeting MacOS Devices

BlackBerry reported a new iOS LightSpy malware, but Huntress researchers found it to be a macOS variant targeting Intel or…

16 hours ago

New Android Malware Mimic As Social Media Apps Steals Sensitive Data

A new RAT malware has been discovered to be targeting Android devices. This malware is capable of executing additional commands…

16 hours ago

Safari Vulnerability Exposes EU iOS Users to Malicious Marketplaces

A serious concern has arisen for iPhone users in the European Union as a newly discovered flaw in Apple's Safari…

16 hours ago