The massively popular video conferencing software has patched a security loophole that could have allowed anyone to remotely eavesdrop on unprotected active meetings, potentially exposing private audio, video, and documents shared throughout the session.

Besides hosting password-protected virtual meetings and webinars, Zoom also allows users to set up a session for non-pre-registered participants who can join an active meeting by entering a unique Meeting ID, without requiring a password or going through the Waiting Rooms.

Zoom generates this random meeting ID, comprised of 9, 10, and 11-digit numbers, for each meeting you schedule or create. If leaked beyond an individual or intended group of people, merely knowing Meeting IDs could allow unwelcome guests joining meetings or webinars.

This could be bad news for anyone expecting their conversations to be private.

To circumvent such scenarios, Zoom late last year introduced some additional controls under the password settings for meetings and webinars, which according to Check Point, was the result of research on security loophole the security firm responsibly reported to the company in July 2019.

In a report, Check Point researchers demonstrated an effective automated but unsophisticated enumeration attack to identify valid random Meeting IDs rather than using the brute force technique.

“A hacker could pre-generate a long list of Zoom Meeting IDs, use automation techniques to quickly verify if a respective Zoom Meeting ID was valid or not, and then gain entry into Zoom meetings that were not password protected,” researchers claimed.

“We were able to predict ~4% of randomly generated Meeting IDs, which is a very high chance of success, compared to the pure brute force.”

As a result of Check Point’s disclosure, Zoom introduced the following security features and functionalities into its cloud-based video conferencing service:

• Default Passwords ⁠— Zoom now, by default, automatically generates a six-digit numeric password for each meeting you create that participants need to enter when joining by manually entering the meeting ID.
• Account and Group Level Password Enforcement — Under new controls, three new password settings are now enforceable at the account, group, and user levels by the account admin.
• Meeting ID Validation — Zoom will no longer automatically indicate if a meeting ID is valid or invalid, making it harder for automated scripts to determine active meetings. For each connection, the page will load and attempt to join the meeting. Thus, a bad actor will not be able to quickly narrow the pool of meetings to attempt to join.
• Device blocker — To prevent brute force attacks, repeated attempts to scan for meeting IDs will cause a device to be blocked for some time.

In July last year, Zoom made headlines following a serious security vulnerability in its client app for macOS that allowed remote attackers or malicious websites to turn on users’ device camera without their permission or knowledge.

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.