Pierluigi Paganini January 29, 2020

A vulnerability in the Zoom online meeting system could be exploited to join meetings and view all content shared by participants. 

The popular video conferencing Zoom is affected by a vulnerability that could be exploited to join meetings and view all content shared by participants.

The issue allowed anyone to remotely eavesdrop on unprotected active meetings, potentially exposing private audio, video, and documents shared throughout the session.

The Zoom platform hosts both password-protected virtual meetings and webinars, and sessions for non-pre-registered participants who can join the meetings by entering a unique Meeting ID (comprised of 9, 10, and 11-digit numbers). The latter case doesn’t require a password or going through the Waiting Rooms.

The knowledge of Meeting IDs could allow miscreants joining meetings or webinars.

“The problem was that if you hadn’t enabled the “Require meeting password” option or enabled Waiting Room, which allows manual participants admission, these 9-10-11 digits were the only thing that secured your meeting i.e. prevented an unauthorized person from connecting to it.” reads the analysis published by CheckPoint.

Check Point experts discovered that an attacker could predict Meeting IDs and join active meetings. 

The researchers generated 1000 potentially valid Zoom Meeting IDs and prepared the URL string for joining the meetings, then they check whether the IDs were valid or not.

urls = []
for _ in range(1000):
urls.append("https://zoom.us/j/{}".format(randint(100000000, 9999999999)))

The experts discovered that it was possible to determine if a Zoom Meeting ID was associated with a valid meeting by analyzing the following “div” element present in the HTML Body of the returned response, when accessing “Join Meeting” URL (https://zoom.us/j/{MEETING_ID})

<div id="join-errormsg" class="error"><i></i><span>Invalid meeting ID.</span></div&gt

The discovered were able to automate the verification process.

“We were able to predict ~4% of randomly generated Meeting IDs, which is a very high chance of success, comparing to the pure brute force,” continues Check Point. 

Check Point reported the flaw to Zoom in July 2019 and in September the company addressed it, the platform now requires a password when scheduling new meetings, for instant meetings, and for Personal Meeting ID (PMI). 

Below the list of changes implemented by Zoom for its client\infrastructure:

1. Passwords are added by default to all future scheduled meetings.
2. Users can able to add a password to already-scheduled future meetings and received instructions by email on how to do so. See article for instructions: https://support.zoom.us/hc/en-us/articles/360033331271-Account-Setting-Update-Password-Default-for-Meeting-and-Webinar
3. Password settings are enforceable at the account level and group level by the account admin.
4. Zoom will no longer automatically indicate if a meeting ID is valid or invalid. For each attempt, the page will load and attempt to join the meeting. Thus, a bad actor will not be able to quickly narrow the pool of meetings to attempt to join.
5. Repeated attempts to scan for meeting IDs will cause a device to be blocked for a period of time.

Pierluigi Paganini

(SecurityAffairs – Zoom, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]