Identified by Tom Anthony, VP Product at SEO firm SearchPilot, the Zoom vulnerability stemmed from the absence of rate limiting on private meeting log in attempts.
As Anthony explains in a recent blog post, Zoom meetings used to be protected by a 6-digit numeric password, making for a maximum of one million different permutations. This might sound like a considerable number but, using a simple Python program, a hacker could easily trial all possible passwords and brute force their way into any meeting.
Meetings set to take place at regular intervals were particularly vulnerable to attack, since the password remains the same for each batch-scheduled meeting.
Zoom has experienced a sharp uptick in user numbers in recent months and currently serves over 300 million daily meeting participants.
Having rocketed into public consciousness as a result of coronavirus lockdown measures and the rise of remote working, Zoom has faced significant scrutiny where security is concerned.
Since March, researchers have uncovered a litany of vulnerabilities in the service – from the opportunity for credential theft to app hijacking, malicious code injection and more – forcing the company to suspend product development for a period to focus on eliminating security bugs.
After verifying the brute force exploit using a crude Python program running on an AWS machine, Anthony disclosed the vulnerability on April 1, which led to the suspension of the Zoom web client on April 2 – an outage that lasted one week.
During this time, Zoom implemented policy that required web client users to log into an account before joining a meeting. The company also made default passwords longer and included non-numeric characters, drastically increasing the number of possible password permutations.
“We have since improved rate limiting and relaunched the web client on April 9. With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild,” Zoom explained in a statement.
As Anthony notes, however, it is plausible an attacker might have infiltrated a Zoom meeting by this vector without alerting the other participants, hidden behind a generic user ID such as “iPhone” or “Home PC”.