Zoom-Meeting: Passwords within minutes crackable

[German]Heavy story- the video service Zoom boasts of 'increased security', but makes beginner's mistakes. For example, passwords with 6 digits were assigned by default for private meetings, which could be easily cracked by brute force.


Zoom introduced a passcode for all private video sessions in April 2020. This was a response to combat Zoom bombings, where third parties could intrude and disrupt private meetings to which they were not invited. It was even possible to hijack private zoom meetings.

The Hacker News weist hier aber auf eine schwere Sicherheitslücke in diesen Passcodes hin. Zoom-Meetings waren bis vor kurzem standardmäßig nur durch ein sechsstelliges numerisches Passwort geschützt. Tom Anthony, VP Product bei SearchPilot,stieß auf ein Problem, dass er so beschreibt:

Zoom meetings were default protected by a 6 digit numeric password, meaning 1 million maximum passwords. I discovered a vulnerability in the Zoom web client that allowed checking if a password is correct for a meeting, due to broken CSRF and no rate limiting.

This enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people's private (password protected) Zoom meetings.

Zoom meetings were by default protected by a 6-digit numeric password, i.e. what was a maximum of 1 million passwords. Then Anthony discovered a vulnerability in the Zoom web client. This made it possible to check by trial and error whether a password for a meeting was correct. The problem was that the CSRF was broken and there was no rate limit on the number of login attempts. The acronym CSRF stands for Cross-Site-Request-Forgery, an attack on a computer system where the attacker performs a transaction in a web application. Because there was no limit on the number of logon attempts, Anthony (and, of course, an attacker) could try every 1 million passwords in a matter of minutes and gain access to other people's private (password-protected) zoom meetings.

Anthony reported the problem to Zoom, who quickly took the web client offline to resolve the issue. Zoom mitigated the problem by both requiring a user to log in to attend meetings in the Web client and by making the default passwords for meetings no longer numeric and longer. Therefore, this attack no longer works.

Similar articles
Microsoft Teams: Vulnerability allowed account takeover
Microsoft Teams and it's security
0patch for 0-day RCE vulnerability in Zoom for Windows
Zoom & Teams not GDPR compliant useable
Security concerns: Zoom banned in some US schools
Zoom cuts data transfer to Facebook in iOS app


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *