A vulnerability in teleconferencing app Zoom would have allowed a malicious actor to identify and join in on active meetings, Check Point Research says in a new report.
According to the cybersecurity research firm Check Point Research, the problem had to do with Zoom Meeting IDs. If a user didn’t’ enable the “Require meeting password” option of enabled Waiting Room, the nine-to-11-digit meeting IDs were the only thing securing a meeting and preventing an unauthorized person from listening in.
The firm pre-generated a list of potentially valid Zoom Meeting IDs, took 1,000 random IDs and prepared the URL string for joining the meeting.
But how could we determine if a Zoom Meeting ID represented a valid meeting or not? We discovered a fast and easy way to check this based on the following “div” element present in the HTML Body of the returned response, when accessing “Join Meeting” URL (https://zoom.us/j/{MEETING_ID})
<div id=”join-errormsg” class=”error”><i></i><span>Invalid meeting ID.</span></div>
I Found It!
We then tried to automate the described approach (just in case you don’t want to brute force all the Meeting IDs by hand):for url in urls:
yield MakeHTTPRequest(url=url, callback=parseResponse)
def MakeHTTPRequest(url, callback)
…
def parseResponse(response):
if response.css(‘div#join-errormsg’).get() is None:
print(‘Valid Meeting ID found: {}’.format(response.url))
else:
print(‘Invalid Meeting ID’)
According to Check Point, its researchers were able to predict about 4% of generated Meeting IDs.
The firm contacted Zoom on July 22 last year and proposed several mitigations, including:
- Re-implement the generation algorithm of Meeting IDs
- Replace the randomization function with a cryptographically strong one.
- Increase the number of digits\symbols in the Meeting IDs.
- Force hosts to use passwords\PINs\SSO for authorization purposes.
In response, Zoom took the following actions:
- Passwords are added by default to all future scheduled meetings.
- Users can able to add a password to already-scheduled future meetings and received instructions by email on how to do so.
- Password settings are enforceable at the account level and group level by the account admin.
- Zoom will no longer automatically indicate if a meeting ID is valid or invalid. For each attempt, the page will load and attempt to join the meeting. Thus, a bad actor will not be able to quickly narrow the pool of meetings to attempt to join.
- Repeated attempts to scan for meeting IDs will cause a device to be blocked for a period of time.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply