{"id":15215,"date":"2020-08-01T07:01:52","date_gmt":"2020-08-01T05:01:52","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=15215"},"modified":"2022-10-02T01:27:04","modified_gmt":"2022-10-01T23:27:04","slug":"zoom-meeting-passwords-within-minutes-crackable","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/08\/01\/zoom-meeting-passwords-within-minutes-crackable\/","title":{"rendered":"Zoom-Meeting: Passwords within minutes crackable"},"content":{"rendered":"

[German<\/a>]Heavy story- the video service Zoom boasts of 'increased security', but makes beginner's mistakes. For example, passwords with 6 digits were assigned by default for private meetings, which could be easily cracked by brute force.<\/p>\n

<\/p>\n

\"\"Zoom introduced a passcode for all private video sessions in April 2020. This was a response to combat Zoom bombings, where third parties could intrude and disrupt private meetings to which they were not invited. It was even possible to hijack private zoom meetings.<\/p>\n

The Hacker News weist hier<\/a> aber auf eine schwere Sicherheitsl\u00fccke in diesen Passcodes hin. Zoom-Meetings waren bis vor kurzem standardm\u00e4\u00dfig nur durch ein sechsstelliges numerisches Passwort gesch\u00fctzt. Tom Anthony, VP Product bei SearchPilot,stie\u00df auf ein Problem<\/a>, dass er so beschreibt:<\/p>\n

\n

Zoom meetings were default protected by a 6 digit numeric password, meaning 1 million maximum passwords. I discovered a vulnerability in the Zoom web client that allowed checking if a password is correct for a meeting, due to broken CSRF and no rate limiting. <\/p>\n

This enabled an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people's private (password protected) Zoom meetings.<\/p>\n<\/blockquote>\n

Zoom meetings were by default protected by a 6-digit numeric password, i.e. what was a maximum of 1 million passwords. Then Anthony discovered a vulnerability in the Zoom web client. This made it possible to check by trial and error whether a password for a meeting was correct. The problem was that the CSRF was broken and there was no rate limit on the number of login attempts. The acronym CSRF stands for Cross-Site-Request-Forgery<\/a>, an attack on a computer system where the attacker performs a transaction in a web application. Because there was no limit on the number of logon attempts, Anthony (and, of course, an attacker) could try every 1 million passwords in a matter of minutes and gain access to other people's private (password-protected) zoom meetings.<\/p>\n

Anthony reported the problem to Zoom, who quickly took the web client offline to resolve the issue. Zoom mitigated the problem by both requiring a user to log in to attend meetings in the Web client and by making the default passwords for meetings no longer numeric and longer. Therefore, this attack no longer works.<\/p>\n

Similar articles<\/strong>
Microsoft Teams: Vulnerability allowed account takeover<\/a>
Microsoft Teams and it's security<\/a>
0patch for 0-day RCE vulnerability in Zoom for Windows<\/a>
Zoom & Teams not GDPR compliant useable<\/a>
Security concerns: Zoom banned in some US schools<\/a>
Zoom cuts data transfer to Facebook in iOS app<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

[German]Heavy story- the video service Zoom boasts of 'increased security', but makes beginner's mistakes. For example, passwords with 6 digits were assigned by default for private meetings, which could be easily cracked by brute force.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547],"tags":[69,2357],"class_list":["post-15215","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-security","tag-zoom"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/15215","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=15215"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/15215\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=15215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=15215"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=15215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}