Yet another Zoom bug: private meeting passwords cracked in minutes

Vulnerability in Zoom allowed attackers to crack passwords for private meetings and spy on participants

Unlimited checking of passwords lead to snooping attacksNumeric passcode used to secure Zoom private meetings can possibly get cracked in the mater of minutes.[1] Zoom meetings platform have surfaced on security news site first pages a few times already.[2] Tom Anthony[3] reported a new flaw stating, that a lack of rate limit in repeated password attempts allow this cracking to happen:

Zoom meetings were default protected by a 6 digit numeric password, meaning 1 million maximum passwords. I discovered a vulnerability in the Zoom web client that allowed checking if a password is correct for a meeting, due to broken CSRF and no rate limiting.

This Zoom web client vulnerability can allow an attacker to guess the password to a meeting by trying various combinations until the correct one is found. This feature of requiring the passcode was introduced this year when attacks on Zoom meetings started to occur more often than ever.[4] 

After the particular passcode-cracking report Zoom issued a response and ensured that all the fixes released all the security issues were fully resolved.

Craking passwords can happen in a few minutes

The attacker that targets to hijack the meeting on the Zoom platform can check over a million passwords in a few minutes. So once the corrected private/ password protected Zoom meeting passcode is guessed, the hacker can snoop on participants, gather wanted information. This vulnerability might already be exploited by the ones who want to listen to people’s calls. 

This flaw saves time for the attack, and cracking can be achieved quickly, so many targets might get affected this way. Unfortunately, there are some meetings that have Personal Meeting IDs that always have the same passcode. There is no need to crack these multiple times, hackers can gain permanent access to future sessions by cracking the password once.

The researcher also stated how easy this is to achieve by demonstrating how he could crack the password. Within 25 minutes Tom Anthony managed to check 91,000 passwords using the AWS machine and found the one that was corrected. He also says that improved techniques like distribution across a few cloud servers could allow this cracking to happen within minutes.

Previous issues with Zoom platform

2020 started with many news reports about Zoom and security issues. When the world turned to such platforms for remote work and education options, the service was also attractive to attackers and malicious people. Starting in January, Zoom had to patch various vulnerabilities that triggered attacks. One of them allowed hackers to identify and join unprotected meetings by guessing those Zoom Meeting IDs.

After that, a zero-day remote code execution flaw was identified in Zoom Windows client. The threat was sold for $500,000 with another designed to affect Zoom client for macOS by exploiting other vulnerabilities. The same amount, ut only accounts of Zoom clients, were on sale in dark web hacker forums for less than a penny.

Some of the cases showed that information was also given away for no pay at all. The month of July was the time when Zoom managed to fix a zero-day vulnerability in the web conference client that triggers the remote command executions on vulnerable Windows 7 systems.[5] It is possibly not the end for these flaws and security issues regarding the Zoom platform.