Zoom’s did not limit password attempts and left all private meetings exposed to password cracking, a researcher has discovered.
Web developer Tom Anthony started testing Zoom’s management after seeing the suddenly popular video chat program used by UK Prime Minister Boris Johnson in a cabinet meeting.
“Having also tried to join, I thought I would see if I could crack the password for private Zoom meetings,” Anthony said in a blog post.
“Over the next couple of days, I spent time reverse engineering the endpoints for the web client Zoom provide, and found I was able to iterate over all possible default passwords to discover the password for a given private meeting.”
Large alphanumeric passwords are difficult to crack as the potential combinations expands immensely with the number of possible characters – that is why you will often be prompted to create a password of a minimum length using numbers, letters, and symbols
Zoom meetings defaulted to six-digit numeric passwords meaning for each private meeting there was one million possible passwords.
After scrutinising the login protocols, Anthony whipped together a Python script to brute force a Zoom meeting by batching user IDs and sending request after request until a password worked.
He found trivially easy to bypass Zoom’s cross-site request forgery (CSRF) prevention.
So a few months ago I realised Zoom doesn't rate limit password attempts for meetings, and has only 1 million passwords. Meaning you could join private meetings within minutes. 😮 https://t.co/NDUEmzUprX— Tom Anthony (@TomAnthonySEO) July 29, 2020
On his home machine, Anthony’s script could check 25 passwords a second which – meaning it would take over ten hours to run the full gamut of possible passwords.
“I ran a similar test from a machine in AWS and checked 91k passwords in 25 minutes,” he said.
“With improved threading, and distributing across 4-5 cloud servers, you could check the entire password space within a few minutes. This would be fairly simple to do.”
After disclosing the flaws in Zoom’s CSRF prevention and total lack of rate limits for password attempts in April, Anthony said the company quickly enacted fixes including an enforced sign-in for users of the web client, and a phased rollout of alphanumeric default meeting passwords.
“It was surprising to me that there was a lack of rate limiting on the central mechanism of the platform, which combined with a poor default password system and faulty CSRF meant that meetings were really not secure,” Anthony said.
“However, Zoom’s response was fast, and they quickly addressed the rate limiting issue. Zoom meetings also got a default password upgrade, which is great.”
Unfortunately, Anthony did not receive a bounty for discovering this Zoom flaw. He said he was invited to submit but wanted to wait for Zoom to update its bug bounty program and decided to publish his findings instead.
"I didn’t want to wait in disclosing the bug – they had agreed to disclosure – given it has been fixed for a while," Anthony said.
"I did submit a couple of other small bugs via the private program on HackerOne, and received bounties for those."
Coronavirus lockdowns thrust Zoom into the spotlight, bringing heavy scrutiny about how its data is encrypted and overall security of the platform.
Prior to COVID-19, the company expected about 10 million participants a day. In April, it jumped to 200 million.
Zoom said it has fully resolved the security issues Anthony disclosed.
"We are not aware of any instances of this exploit being used in the wild," a Zoom spokesperson said.
"We thank Tom Anthony for bringing this issue to our attention. If you think you’ve found a security issue with Zoom products, please send a detailed report to firstname.lastname@example.org.”
This story has been updated to include a comment from Zoom.