Zoom web 客户端漏洞可能被黑客用来破解私人会议访问密码

转自：Zoom web client flaw could’ve let hackers crack meetings passcode-Deeba Ahmed

The vulnerability, if exploited, would have affected millions of Zoom users – There are more than 13 million Zoom users worldwide.

• 这个漏洞如果被利用，将有数百万Zoom用户受影响——Zoom在全世界有超过1300万用户。

A majority of people are forced to work from home in the wake of the COVID-19 pandemic-led lockdown worldwide. This prompted an unprecedented increase in the use of video conferencing apps like Zoom and Microsoft Teams

• COVID-19疫情导致全球封锁之后，大多数人被迫远程办公。这使得Zoom、Microsoft Teams等视频会议应用的使用呈现爆发式增长。

As more and more people are turning to Zoom and using it regularly, the app’s security issues are getting highlighted as well. One such flaw was identified recently that could have let an attacker decode the numeric passcode using which people could conduct private meetings securely.

• 随着越来越多的人开始使用Zoom，Zoom的安全问题也越来越引人注意。最近发现了一个这样的漏洞：攻击者通过暴力破解视频会议的数字密码来访问私人会议。

  

It is worth noting that Zoom introduced the passcode requirement back in April to provide a secure environment for holding private meetings and prevent the risk of Zoom-bombing. Since April, Zoom meetings, by default, are protected by a 6-digit numeric passcode.

• 为了给私人会议提供安全的环境，以及防止Zoom被撑爆，Zoom从4月份开始引入了访问密码的机制。默认情况下，Zoom会议的密码是一个6位数的数字密码。

According to the findings of SearhPilot’s VP Product, Tom Anthony, due to a vulnerability in Zoom web client, an attacker can gain access to password-protected private meetings of Zoom users. This can be possible if the attacker tries all the 1 million passwords, which can be done within mere minutes.

• 根据SearhPilot的副总裁Tom Anthony的发现，攻击者利用Zoom web客户端存在漏洞可以访问受密码保护的私人会议。因为攻击者在短短几分钟内就可以尝试100万个密码。

With improved threading, and distributing across 4-5 cloud servers you could check the entire password space within a few minutes,” Anthony revealed.

The attacker can exploit Zoom’s web client and repeatedly send HTTP requests since it hasn’t enabled any checks on repetitive incorrect password attempts. As soon as the passcode is cracked, a hacker can access ongoing meetings.

• 因为Zoom没有过滤禁止任何重复且错误的尝试，所以攻击者可以利用Zoom的web客户端不间断重复发送HTTP请求。一旦密码被破解，黑客就可以访问正在进行的会议。

Moreover, the same process can help in accessing scheduled meetings. Since hackers don’t need to go through all the one million passcodes, it may not take very long to crack the passwords. Another point raised by Anthony is that Zoom’s Personal Meeting IDs always have the same passcode. Therefore, hackers only need to crack their password once to enjoy permanent access to future sessions.

• 此外，该操作同样适用于预定会议。由于破解过程中往往不需要尝试所有的100万个密码，用不了多长时间就能破解密码。Anthony提出的另一个观点是，Zoom的私人会议一旦创建，始终使用相同的密码。因此，黑客只需破解一次，就可以永久访问将要召开的会议。

Anthony used an AWS machine to demonstrate how easy it was to obtain a meeting’s passcode to prove his point. He managed to crack the password within 25 minutes after checking 91,000 passcodes.

• Anthony为证明自己的观点，使用了一台AWS机器演示获取会议密码到底有多么容易。他在25分钟内尝试了91,000个密码后，成功破解了会议密码。

This occurs because of the “lack of rate-limiting” on repeated password attempts. The issue was reported to Zoom by Anthony on 1 April 2020, and the company fixed it by 9 April. Afterward, Anthony sent a Python-based PoC (proof-of-concept) to the company.

• 出现这种漏洞的原因是：对于密码的重试 “缺乏速率限制”。2020年4月1日，Anthony向Zoom提交了这个问题，Zoom于4月9日修复了该问题。之后，Anthony向Zoom发送了一个基于Python的PoC（概念验证）。

  Zoom account suspended’ phishing scam aims at Office 365 credentials

Anthony identified another issue while signing in to the website via the web client. The process requires a temporary redirection to ask for customers’ consent to Zoom’s privacy policy and service terms. If the CSRF HTTP header, which should be sent during this process, is omitted, the request still works the same way. This, according to Anthony, means the CSRF token doesn’t function as required, and an attacker can easily exploit it as fixing it won’t solve the issue.

• Anthony在使用web客户机登录时还发现了另一个问题：登录过程需要一个临时的重定向，以征求用户同意Zoom的隐私政策和服务条款，该过程中如果省略了应该发送的CSRF HTTP头，那么该请求仍然以相同的方式工作。Anthony认为，这意味着CSRF令牌并没有发挥作用，攻击者可以很容易地利用它，因为修复它不能解决问题。