Zoom was found to have a bug that hackers could take advantage of and use to crack passwords for private meetings. When it comes to privacy, Zoom has been in the news for its security issues a lot recently. This is partly the result of how quickly Zoom has gone from some users to a lot, due to how many are now working from home and in need of video-conferencing and communications solutions to stay in touch with friends, family, and work colleagues.
As the months have passed, Zoom has become an incredibly important resource for people who are working remotely. As a resource, people can hold meetings while maintaining proper social-distancing guidelines and while many may be delighted with the bevy of whimsical backgrounds, there are those that are concerned over the security flaws associated with the platform, including Zoombombing.
In a blog post, Tom Anthony shared information about a Zoom security flaw. In addition to detailing the security vulnerabilities, Anthony informed Zoom of the flaw and gave suggestions on how Zoom could improve its security. The issue was first noted after the UK Prime Minister, Boris Johnson, shared an image of a Zoom cabinet meeting, which Anthony tried to guess the password to join. In this meeting, there was a random muted user designated as “iPhone,” and while the government explained that the meeting was password-protected, Anthony feared that someone may have already previously found and used the exploit.
Understanding The Latest Zoom Security Flaw
It is important to understand that default passwords on Zoom originally consisted of six numerical digits; although, people can make a 10 digit alphanumeric password. Normally, a site or application may limit the number of times a user can enter a password; but, Zoom allowed people to enter the password as many times as they wanted without consequence. As a result, people could enter the one million potential passwords to gain access to a Zoom meeting. Anthony tested this with Python by rapidly submitting batches of passwords, and consequently, found the correct code in under 30 minutes. Furthermore, Anthony stressed that people could find the password faster if they have a better code to check batches and superior resources, while also noting that alphanumeric passwords could get cracked within one hour.
Anthony came up with a few solutions to prevent someone, like the alleged mystery 'iPhone' person from breaking into private meetings. The first solution is rather simple; basically, give users a certain number of password attempts, and even limit passwords based on a user’s IP address. On that note, Anthony also believes that Zoom should make their default passwords longer. Additionally, Anthony also argues that people in meetings should receive warnings when someone fails multiple password attempts and also pointed out that Zoom should fix a flaw regarding the privacy term page where malicious entities could automate attacks by omitting a CSRF https header.
It is worth mentioning that Zoom has already fixed the problem so that hackers cannot enter private meetings through the same method. According to Anthony, the video conferencing company acted quickly to mitigate the problem by forcing users to sign in through the web client and switching to alphanumeric default passwords. With that said, Zoom could always add more security features and layers of protection to better support its users.
Source: Tom Anthony