SearchPilot specialist Tom Anthony discovered that a bug in Zoom allowed brute forcing a password to someone else’s conference.
The fact is that since April of this year, Zoom protects all conferences with a mandatory six-digit numeric password. The company introduced such a measure of protection because of the so-called Zoom-Bombing.Prior to the introduction of this measure, third parties often joined Zoom videoconferences (online lessons, business meetings, and so on) in order to disrupt the meeting or just make a joke. Often later, recordings of such pranks appeared and spread on social networks.
Anthony explains that he found a CSRF bug and thaat there are no restrictions on the number of password attempts, as well as the speed of brute force.
On March 31st, Boris Johnson tweeted about chairing the first ever digital cabinet meeting. I was amongst many who noticed that the screenshot included the Zoom Meeting ID. Having also tried to join, I thought I would see if I could crack the password for private Zoom meetings. Over the next couple of days, I spent time reverse engineering the endpoints for the web client Zoom provide, and found I was able to iterate over all possible default passwords to discover the password for a given private meeting”, — says Tom Anthony.
As a result, it turned out that you only need to sort out a million possible combinations (from 000000 to 999999). With 4-5 cloud servers, this could be done in a matter of minutes via the web client (and the address in the format https://zoom.us/j/MEETING_ID), continuously sending HTTP requests.
Also note that recurring meetings, including‘ Personal Meeting IDs (PMIs) ’always use the same password, so once it is cracked you have ongoing access”, – reports Tom Anthony.
The specialist also writes that the same procedure could be repeated for scheduled conferences, for which it is possible to change the default password to a longer alphanumeric version. In this case, it was possible quickly to sort out 10,000,000 of the most popular passwords.
The researcher discovered the problem back in April 1, 2020, shortly after the introduction of password protection. He notified the Zoom engineers of the error by attaching a PoC exploit written in Python to his report. A specialist tool could crack a six-digit password in about 25 minutes from one computer.
If more machines or the capacity of cloud servers were connected to the case, the time for hacking was reduced to a couple of minutes. To fix the bug, the developers were forced to temporarily disable the Zoom web client, and on April 9, they fixed the problem.