A vulnerability that Zoom addressed in its web client could have allowed an attacker to join private meetings by brute-forcing the passcode.
The Zoom video-conferencing platform has become highly popular since the COVID-19 pandemic has forced many to work from home.
As it was rising to fame, Zoom also came under heavy scrutiny from security companies and privacy advocates, which pushed it to improve the security of its users, including through implementing end-to-end encryption and through revamping its bug bounty program.
The newly disclosed issue, web developer and security researcher Tom Anthony reveals, was addressed in early April, just as security concerns regarding Zoom were being fueled by the wide adoption of the service.
Related to the lack of a limitation to the number of attempts allowed for checking the correct password for a meeting, the vulnerability could have allowed an attacker to join private meetings by simply trying all of the possible combinations.
The vulnerability was the result of a combination of factors, such as Zoom meetings being protected by default with 6-digit passcodes, no limit to the number of failed attempts to enter the correct code, and a broken cross-site request forgery (CSRF) protection in the web client.
“This enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings,” Anthony explains.
To join a Zoom meeting, users ..
Support the originator by clicking the read the rest link below.
