Zoom fixes flaw that made private conference calls open to hackers

Security bug in Zoom could have led to corporate espionage due to hacker's presence in private conference calls

Zoom patches the vulnerability that potentially exposed private conversations to third-party people.

Zoom, one of the most commonly used conference platforms that popularized video conferencing software, patched a security flaw that allowed hackers to access various private conference calls unnoticed.^[1] Any person could have accessed unprotected, private meetings and video, audio footage or even documents shared in such a webinar or a conference session.

Zoom hosts password-protected virtual meetings and conferences but also allows users to set up sessions for non-registered participants that can join active conversations without additional logins or passwords required. The only thing that such a person needs is a randomized 9, 10, or 11-digit meeting ID that is generated unique per each conversation.^[2] It such ID got leaked outside the intended group of people anyone that nows the meeting ID can join the meeting and obtain private, valuable or sensitive information unnoticed.

Fortunately, people that enter the call are shown for the meeting creator and other participants, so anyone that doesn't belong to the conversation can be outed immediately. Except no one notices the malicious person and the attack is successful when the actor snoops to get valuable details and documents.

Predicted meeting IDs allow anyone to join the conference

The biggest issue is the fact that Zoom conference meetings are not requiring a password by default, so when the meeting creator does not enable the meeting password anyone that knows the ID can enter.^[3] Researchers additionally revealed that it is possible to predict such a meeting ID and identify which ones are active conversations. When you enter the numbers to the meeting URL the system identifies valid or invalid conversation that is. Any third-party actors can gues such meeting IDs and enter the conference sessions.

Brute forcing this [meeting ID] range is very hard is you have no feedback from Zoom, but Zoom made a mistake where a tag would identify if meeting IDs are valid or not when users input meeting IDs to the meeting URL.

During the analysis of such potential vulnerability exploits a list of 1,000 random valid meeting IDs got generated. It was calculated to be a 4% chance to find valid ones out of random generated meeting IDs. However, these attackers cannot be targeted at any point because people cannot know which URL of the meeting belongs to who or where is it held.

Changes in the security of the conference calls

Zoom now added passwords by default and it can be set to any scheduled meetings. It enforces users to set passwords to already-scheduled meetings and change settings at the account level by the account admin. The company also removed the automatic valid and not valid indications of meeting IDs. Actors could not narrow valid IDs from a pool of random meeting IDs. Repeated attempts of finding meeting IDs can cause an automatic ban for the particular device.

Zoom claims that the privacy and security of users is their top priority and this issue is going to be fixed with additional features and further steps to strengthening the platform. However, video conferencing flaws in the platform got discovered back in 2018.^[4] Desktop conferencing application allowed remote attackers to hijack screens and kick people out of the meetings. Also, a zero-day vulnerability in the Zoom version for macOS that allowed access to webcams got reported last year.^[5] There are a lot of things to fix and take care of when it comes to security and privacy.