Check point protection scientists have found that a flaw in the zoom online meeting program may enable attackers to wake up to meetings and access shared information.
Zoom is a network that provides real-time networking and information sharing for video conferencing. This provides desktop and mobile device connectivity and delivers end-to-end security for meetings and team calls.
The vulnerability that was found, says Check Point, was that in certain situations a conference would be guarded with the 9, 10 or 11-digitZoom Conference ID.
The researchers have said that susceptible cases involve those that were not allowed to manually accept participants by the “Require Meeting Password” choice, or where the “Waiting Room” was not activated.
The security researchers at Check Point found that an attacker could predict meeting IDs and possibly participate in active meetings.
The researchers created multiple potentially valid Zoom Meeting IDs and developed the URL to enter the meetings, and then tested if the IDs were true or not.
A “div” feature in the HTML corpus was the details on the authenticity of the ID given while accessing the “Join Meeting” URL and they also defined a means of automating the verification process.
“We were able to predict ~4% of randomly generated Meeting IDs, which is a very high chance of success, comparing to the pure brute force,” Check Point explains.
In July 2019, the researchers reported the problem to Zoom and in September, Zoom updated the consumer architecture to eradicate the flaw.
Zoom also needs a password to schedule new appointments, quick messages and PMIs.
In fact, Zoom will not necessarily show whether a Meeting ID is valid or invalid. Rather, the page loads and attempts to enter the group, which enhances the period that an intruder has to locate a legitimate meeting.
In fact, repeated attempts to search for Meeting IDs trigger the system to be disabled for a period of time.
Zoom is not alone in exposing possible eavesdropping to online meetings. Last week, Cisco alerts consumers of attackers deliberately targeting a flaw (CVE-2020-3142), which allows unauthorized users to partake in Webex sessions, which are password-protected. The bug has been fixed by Cisco.