Zoom web client flaw could’ve let hackers crack meetings passcode
Zoom web 客户端漏洞可能被黑客用来破解私人会议访问密码
The vulnerability, if exploited, would have affected millions of Zoom users – There are more than 13 million Zoom users worldwide.
A majority of people are forced to work from home in the wake of the COVID-19 pandemic-led lockdown worldwide. This prompted an unprecedented increase in the use of video conferencing apps like Zoom and Microsoft Teams
- COVID-19疫情导致全球封锁之后，大多数人被迫远程办公。这使得Zoom、Microsoft Teams等视频会议应用的使用呈现爆发式增长。
As more and more people are turning to Zoom and using it regularly, the app’s security issues are getting highlighted as well. One such flaw was identified recently that could have let an attacker decode the numeric passcode using which people could conduct private meetings securely.
It is worth noting that Zoom introduced the passcode requirement back in April to provide a secure environment for holding private meetings and prevent the risk of Zoom-bombing. Since April, Zoom meetings, by default, are protected by a 6-digit numeric passcode.
According to the findings of SearhPilot’s VP Product, Tom Anthony, due to a vulnerability in Zoom web client, an attacker can gain access to password-protected private meetings of Zoom users. This can be possible if the attacker tries all the 1 million passwords, which can be done within mere minutes.
- 根据SearhPilot的副总裁Tom Anthony的发现，攻击者利用Zoom web客户端存在漏洞可以访问受密码保护的私人会议。因为攻击者在短短几分钟内就可以尝试100万个密码。
With improved threading, and distributing across 4-5 cloud servers you could check the entire password space within a few minutes,” Anthony revealed.
The attacker can exploit Zoom’s web client and repeatedly send HTTP requests since it hasn’t enabled any checks on repetitive incorrect password attempts. As soon as the passcode is cracked, a hacker can access ongoing meetings.
Moreover, the same process can help in accessing scheduled meetings. Since hackers don’t need to go through all the one million passcodes, it may not take very long to crack the passwords. Another point raised by Anthony is that Zoom’s Personal Meeting IDs always have the same passcode. Therefore, hackers only need to crack their password once to enjoy permanent access to future sessions.
Anthony used an AWS machine to demonstrate how easy it was to obtain a meeting’s passcode to prove his point. He managed to crack the password within 25 minutes after checking 91,000 passcodes.
This occurs because of the “lack of rate-limiting” on repeated password attempts. The issue was reported to Zoom by Anthony on 1 April 2020, and the company fixed it by 9 April. Afterward, Anthony sent a Python-based PoC (proof-of-concept) to the company.
- 出现这种漏洞的原因是：对于密码的重试 “缺乏速率限制”。2020年4月1日，Anthony向Zoom提交了这个问题，Zoom于4月9日修复了该问题。之后，Anthony向Zoom发送了一个基于Python的PoC（概念验证）。
- Anthony在使用web客户机登录时还发现了另一个问题：登录过程需要一个临时的重定向，以征求用户同意Zoom的隐私政策和服务条款，该过程中如果省略了应该发送的CSRF HTTP头，那么该请求仍然以相同的方式工作。Anthony认为，这意味着CSRF令牌并没有发挥作用，攻击者可以很容易地利用它，因为修复它不能解决问题。