Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A vulnerability in Zoom platform allowed miscreants to join Zoom meetings

A vulnerability in the Zoom online meeting system could be exploited to join meetings and view all content shared by participants.  The popular video conferencing Zoom is affected by a vulnerability that could be exploited to join meetings and view all content shared by participants. The issue allowed anyone to remotely eavesdrop on unprotected active […]

zoom

A vulnerability in the Zoom online meeting system could be exploited to join meetings and view all content shared by participants. 

The popular video conferencing Zoom is affected by a vulnerability that could be exploited to join meetings and view all content shared by participants.

The issue allowed anyone to remotely eavesdrop on unprotected active meetings, potentially exposing private audio, video, and documents shared throughout the session.

The Zoom platform hosts both password-protected virtual meetings and webinars, and sessions for non-pre-registered participants who can join the meetings by entering a unique Meeting ID (comprised of 9, 10, and 11-digit numbers). The latter case doesn’t require a password or going through the Waiting Rooms.

The knowledge of Meeting IDs could allow miscreants joining meetings or webinars.

“The problem was that if you hadn’t enabled the “Require meeting password” option or enabled Waiting Room, which allows manual participants admission, these 9-10-11 digits were the only thing that secured your meeting i.e. prevented an unauthorized person from connecting to it.” reads the analysis published by CheckPoint.

Check Point experts discovered that an attacker could predict Meeting IDs and join active meetings. 

The researchers generated 1000 potentially valid Zoom Meeting IDs and prepared the URL string for joining the meetings, then they check whether the IDs were valid or not.

urls = []
for _ in range(1000):
urls.append("https://zoom.us/j/{}".format(randint(100000000, 9999999999)))

The experts discovered that it was possible to determine if a Zoom Meeting ID was associated with a valid meeting by analyzing the following div” element present in the HTML Body of the returned response, when accessing “Join Meeting” URL (https://zoom.us/j/{MEETING_ID})

<div id="join-errormsg" class="error"><i></i><span>Invalid meeting ID.</span></div&gt

The discovered were able to automate the verification process.

“We were able to predict ~4% of randomly generated Meeting IDs, which is a very high chance of success, comparing to the pure brute force,” continues Check Point. 

Check Point reported the flaw to Zoom in July 2019 and in September the company addressed it, the platform now requires a password when scheduling new meetings, for instant meetings, and for Personal Meeting ID (PMI). 

Below the list of changes implemented by Zoom for its client\infrastructure:

  1. Passwords are added by default to all future scheduled meetings.
  2. Users can able to add a password to already-scheduled future meetings and received instructions by email on how to do so. See article for instructions: https://support.zoom.us/hc/en-us/articles/360033331271-Account-Setting-Update-Password-Default-for-Meeting-and-Webinar
  3. Password settings are enforceable at the account level and group level by the account admin.
  4. Zoom will no longer automatically indicate if a meeting ID is valid or invalid. For each attempt, the page will load and attempt to join the meeting. Thus, a bad actor will not be able to quickly narrow the pool of meetings to attempt to join.
  5. Repeated attempts to scan for meeting IDs will cause a device to be blocked for a period of time.
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Zoom, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]