Zoom the popular video conferencing app recently fixed a new vulnerability that allows the attacker to crack “Private Meeting” password easily, also this new vulnerability can allow attacker snoop or spy on the meetings without being noticed.
As we know, by default the meetings are protected by a 6-digit numeric password, but according to “Tom Anthony” who first identified the issue, where the lack of rate limiting enabled an attacker to run a Brute force attack which allowed him to use 1 Million password combination in a matter of minutes and gain access to other people’s password protected or private meeting Zoom meetings.
Zoom’s history of fixing issues
It is also important to mention the fact that Zoom has a history of fixing the security issues since the start of COVID-19 pandemic. As the use of the “Video conferencing” application skyrocketed, so did the attacks on the application.
Since then the company has came under fire for its poor management of security and that doesn’t seem to change even today.
“Password for all meetings” this rule was made mandatory back in April 2020 and the company even issued an advisory on their official website, which you’re free to check it out here – Official advisory. This was a measure to prevent all the bombarding attacks which were happening because of the use of application increased, the attacks were later dubbed as “Zoom-bombing” attacks which means “The act of disrupting and hijacking Zoom meetings, uninvited to share obscene and racist content”.
This issue was also reported by Tom Anthony on 1st of April 2020 along with the python script that was used for “vulnerability testing”, a week later, zoom fixed this issue, basically on 9th April 2020.
Explaining the latest vulnerability that Zoom fixed
As we know that the private meetings were secured with the “6-Digit” pass-code, however, this alone gives away the clue to the attacker there could only be maximum one million password combination. However, it was discovered that there was not a single check applied to block the repeated “Incorrect password attempts”.
In other words – Just take this scenario, if you try to enter username password combination on login form, after 3 incorrect attempts you’re blocked and this issue, is notified to the actual user of the account. In case of Zoom no such mechanism was in place, so this allowed the attacker to run all one million password combinations with a script in a matter of minutes.
So basically the attacker can use Zoom web client to continuously send the HTTP request to try out all one million password combination. Tom Anthony even said that with an improved threading and distributing the process across 4-5 cloud server, it is extremely easily to try out all possible password combinations.
Furthermore, same attack even works on recurring meetings, meaning the hacker can easily access the ongoing meetings once the pass-code was cracked. Also the same procedure even worked with the scheduled meetings, which has the option to override default pass-code with longer alpha-numeric version.
Also read – GRUB 2 bootloader vulnerability affects Millions of Windows & Linux Devices.
One more issue was discovered in the past..
In the past the researchers noticed that during the “Sign in” process that was done using the web client, there was a temporary redirect to seek customer’s consent to its terms of service and privacy policy. During this entire redirection process, there was a hidden “CSRF HTTP header” which was sent to the user. Even if you omitted this process the request was working fine according to Tony Anthony.
The failure of this hidden process would have made much more easier to exploit the existing vulnerability and in return it would have made easier for the attacker to abuse the loophole, however, fixing this would not have provided much of protection against the existing vulnerability.
This was reported to Zoom and the company even took the web client offline to mitigate the issue, this happened on 2nd April 2020.
Just earlier this month or to be more specific on 10th July 2020, the company fixed the issue on its Windows application which allowed the attacker/hacker to run and execute the arbitrary code on the victim’s computer which has a machine running with Windows 07 or older version.
Its also important to note that the vulnerability which was fixed in the Windows variant was a “Zero day Vulnerability”.
What is a Zero day vulnerability?
A Zero day vulnerability is a vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability.
The company even fixed the separate flaw which allowed the attacker to mimic the meeting of any particular organization and trick its client or partners to gather their personal information with the help of social engineering attacks.
Also read – Industrial VPN Multiple severe vulnerabilities allows the attacker to target critical infrastructure.
Source – Zoom Security Exploit