CPX 360 – New Orleans, La. – A previously undisclosed and now patched vulnerability in the Zoom conferencing platform could have let attackers drop into active meetings by generating and verifying Zoom IDs. Zoom users know the platform's unique meeting IDs are made up of 9, 10, or 11-digit numbers. If hosts don't require a conference password or enable the Waiting Room feature, Zoom ID is the only factor protecting meetings from unauthorized attendees. Check Point researchers found it was possible for an attacker to generate potentially valid Zoom IDs and automate their verification. "The number should be privately shared, and it should be that nobody should be able to guess it," says Check Point head of cyber research Yaniv Balmas. "We found a vulnerability in Zoom that allows it to tell us whether a number is a meeting number in a matter of minutes." Researchers pre-generated a list of potential meeting IDs and prepared a URL string for joining a meeting. When the URL was entered with a random meeting ID number, they noticed the HTML body of the returned response indicated "Invalid meeting ID" or "Valid Meeting ID found," depending on whether the ID was linked to an active conference. Automating this approach allowed them to quickly determine valid ID numbers and drop in on random ongoing calls "Although we know the number is valid, we don't know whose chat it's going to be," Balmas notes. "You can call it Zoom roulette." Exploiting this vulnerability could grant an attacker the same privileges as any Zoom attendee, meaning they would have access to audio, video, and documents shared during the call. While the intruder would not be invisible, Balmas points out, it w ..
Support the originator by clicking the read the rest link below.
