NEW ORLEANS – Enterprise video conferencing firm Zoom has issued a bevy of security fixes after researchers said the company’s platform used weak authentication that made it possible for adversaries to join active meetings.
The issue stems from Zoom’s conference meetings not requiring a “meeting password” by default, which is a password assigned to Zoom attendees for what is calls a meeting room. If meeting creators do not enable a “meeting password,” the only thing securing the meetings are Meeting IDs, which are 9, 10, or 11 digit meeting identifying numbers.
Research unveiled the research Tuesday here at CPX 360, a security event hosted by Check Point Security. The report revealed that it’s possible to correctly predict valid meeting IDs, due to Zoom identifying meeting IDs as “valid” or “invalid” when they are input into the meeting URL. This could open the door to third-party actors eventually being able to guess a meeting ID and enter a conferencing session, said researchers with Check Point Software that presented the research.
“Brute forcing this [meeting ID] range is very hard is you have no feedback from Zoom, but Zoom made a mistake where a tag would identify if meeting IDs are valid or not when users input meeting IDs to the meeting URL,” Yaniv Balmas, head of cyber research for Check Point Software, told Threatpost. “An adversary with intermediate skills could unlock this attack.”
Predicting Meeting IDs
Researchers were able to pre-generate a list of 1,000 randomly-generated, potentially valid meeting IDs. They then took the random IDs and checked them against the URL string used for joining Zoom meetings ((https://zoom.us/j/{MEETING_ID}).
If they paired an ID against the “Join Meeting” URL and it was incorrect, the output would say “invalid Meeting ID;” however, if a valid meeting ID was found, the output would say “Valid Meeting ID found” and list the meeting for which it was validated.
Specifically, the “div” element of the output shows whether a meeting ID is valid or not: “We discovered a fast and easy way to check this based on the following ‘div’ element present in the HTML Body of the returned response, when accessing ‘Join Meeting’ URL,” researchers said.
In this manner, researchers were able to predict 4 percent of randomly generated meeting IDs, “which is a very high chance of success.”
An actual attack has some caveats. While a bad actor could discover a valid meeting ID, they would not know who the meeting URL belongs to or when the meeting would take place, making it nearly impossible to launch targeted attacks. Also, if a threat actor were to enter a meeting, their presence would show, potentially outing them on the call. However, if no one on the meeting notices their presence, such an attack could allow bad actors to snoop in on potentially private meetings and view business documents or presentations.
Mitigations
Researchers said that they contacted Zoom on July 22, 2019 regarding the issue: “Zoom representatives were very collaborative and responded quickly to our emails,” they said.
In response, Zoom now has added passwords by default to any scheduled meetings. In addition Zoom also added features enabling users to add a password to already-scheduled future meeting, and enforce password settings at the account level by an account admin.
Zoom will also no longer automatically indicate if a meeting ID is valid or invalid when a page loads – instead, the page will merely load and attempt to join the meeting (this will bar a bad actor for quickly narrowing the pool of meeting IDs). And, repeated attempts to scan for meeting IDs can cause a device to be blocked “for a period of time.”
“The privacy and security of Zoom’s users is our top priority,” a Zoom spokesperson told Threatpost. “The issue was addressed in August of 2019, and we have continued to add additional features and functionalities to further strengthen our platform. We thank the Check Point team for sharing their research and collaborating with us.”
Video Conferencing Flaws
It’s not the first time that vulnerabilities have been discovered in conferencing systems.
In 2018, a serious vulnerability was discovered in Zoom’s desktop conferencing application could allow a remote attacker to hijack screen controls and kick attendees out of meetings. Last year, a zero-day vulnerability in the Zoom client for Mac allows a malicious website to hijack a user’s web camera without their permission.
Cisco Systems just last week also fixed a high-severity vulnerability in its popular Webex video conferencing platform, which could let strangers barge in on password-protected meetings – no authentication necessary.