Zoom bug allowed attackers to crack private meeting passwords

A lack of rate limiting on repeated password attempts allowed potential attackers to crack the numeric passcode used to secure Zoom private meetings as discovered by Tom Anthony, VP Product at SearchPilot.

“Zoom meetings are (were) default protected by a 6 digit numeric password, meaning 1 million maximum passwords,” as Anthony discovered.

The vulnerability he spotted in the Zoom web client allowed attackers to guess any meeting’s password by trying all possible combinations until finding the correct one.

Cracking meeting passwords within minutes
“This enables an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings,” he says.

“This also raises the troubling question a to whether others were potentially already using this vulnerability to listen in to other peoples’ call.”

Since attackers would not have to go through the entire list of 1 million possible passwords, this could drastically shorten the time needed to crack them.

Also, recurring meetings — including Personal Meeting IDs (PMIs) — will always have the same passcode so attackers would only have to crack them once and gain permanent access to future sessions.

As Anthony was able to demonstrate, he could crack a meeting’s password (including scheduled meetings) within 25 minutes after checking 91,000 passwords using an AWS machine.

“With improved threading, and distributing across 4-5 cloud servers you could check the entire password space within a few minutes,” he added.

Zoom addressed the issue within a week
Anthony reported the Zoom web client issue to the company on April 1, 2020, together with a Python proof of concept to show how attackers could brute-force their way into any password-protected meeting.

After his report, Zoom took down the web client starting with April 2 to address the vulnerability. BleepingComputer reported at the time that the Zoom web client was going through an outage and users were reporting ‘403 Forbidden’ errors.

The next day, the company added an incident report on its official status page saying that “Zoom will be placing the Web Client into maintenance mode and take this part of the service offline.”

One week later, Zoom addressed the password attempt rate limiting issue by “requiring a user logs in to join meetings in the web client, and updating default meeting passwords to be non-numeric and longer.”

Upon learning of this issue on April 1st, we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations. We have since improved rate limiting, addressed the CSRF token issues and relaunched the web client on April 9th. With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild. We thank Tom Anthony for bringing this issue to our attention. If you think you’ve found a security issue with Zoom products, please send a detailed report to [email protected] — Zoom

Previous Zoom security issues
Since the start of 2020, Zoom was impacted by a series of issues having to patch a security vulnerability in January that would have allowed attackers to identify and join unprotected Zoom meetings by guessing their Zoom Meeting IDs.

In April, an exploit for a zero-day remote code execution vulnerability in the Zoom Windows client was reportedly being sold for $500,000, together with one designed to abuse a bug in the Zoom macOS client.

More than 500,000 Zoom accounts were put on sale on hacker forums and on the dark web for less than a penny each in mid-April and, in some cases, given away for free to be used in zoom-bombing pranks.

Earlier in July, ​Zoom also fixed a zero-day vulnerability in the web conference client that could have enabled attackers to remotely execute commands on vulnerable Windows 7 systems.

Zoom founder and CEO Eric S. Yuan said in April that the video conferencing platform surpassed 300 million daily Zoom meeting participants.

Update: Added an official statement from Zoom.