Zoom meetings are by default protected by a six-digit numeric password, but according to Tom Anthony, VP Product at SearchPilot who identified the issue, the lack of rate limiting enabled "an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people's private (password protected) Zoom meetings."
It's worth noting that Zoom began requiring a passcode for all meetings back in April as a preventive measure to combat Zoom-bombing attacks, which refers to the act of disrupting and hijacking Zoom meetings uninvited to share obscene and racist content.
Anthony reported the security issue to the company on April 1, 2020, along with a Python-based proof-of-concept script, a week after which Zoom patched the flaw on April 9.
The fact that meetings were, by default, secured by a six-digit code meant there could be only a maximum of one million passwords.
But in the absence of no checks for repeated incorrect password attempts, an attacker can leverage Zoom's web client (https://zoom.us/j/MEETING_ID) to continuously send HTTP requests to try all the one million combinations.
"With improved threading, and distributing across 4-5 cloud servers you could check the entire password space within a few minutes," Anthony said.
The attack worked with recurring meetings, implying that bad actors could have had access to the ongoing meetings once the passcode was cracked.
The researcher also found that the same procedure could be repeated even with scheduled meetings, which have the option to override the default passcode with a longer alphanumeric variant, and run it against a list of top 10 million passwords to brute-force a login.
"There was a CSRF HTTP header sent during this step, but if you omitted it then the request still seemed to just work fine anyway," Anthony said. "The failure on the CSRF token made it even easier to abuse than it would be otherwise, but fixing that wouldn't provide much protection against this attack."
Following the findings, Zoom took the web client offline to mitigate the issues on April 2 before issuing a fix a week later.
The video conferencing platform, which drew scrutiny for a number of security issues as its usage soared during the coronavirus pandemic, has quickly patched the flaws as they were uncovered, even going to the extent of announcing a 90-day freeze on releasing new features to "better identify, address, and fix issues proactively."
Just earlier this month, the company addressed a zero-day vulnerability in its Windows app that could allow an attacker to execute arbitrary code on a victim's computer running Windows 7 or older.
It also fixed a separate flaw that could have allowed attackers to mimic an organization and trick its employees or business partners into revealing personal or other confidential information via social engineering attacks.