‘Default passwords for Zoom meetings could be cracked within minutes’
Zoom meetings’ default passwords could be cracked within minutes, says a British security researcher. The passwords consisted of a six-digit code and the service barely limited the repeated entry of passwords. The error has now been fixed.
Security researcher Tom Anthony writes on his blog that Zoom’s web client checks whether a password the user entered for a Zoom meeting was correct or not, using two http requests. In the first http request a combination of a user ID and a password is sent, with the second http request Zoom checks whether the previously sent password is correct. Anthony writes that with this process the password could already be cracked, but that it would take a relatively long time because the user would have to wait each time for the server to check a password. Using six-digit default passwords, there were up to a million possible default passwords.
Anthony found out that as a user you could request a new user ID by sending cookie-less http requests. In this way, the researcher could request multiple IDs, with which he could test a unique password each time. Using a Python script, he was able to check 25 passwords per second with a hundred threads. With the cloud service AWS, he managed to check 91,000 passwords in 25 minutes. Had he improved his script and used four to five AWS servers, Anthony claims he could have cracked any password in minutes. He has not tested this to ‘not disturb the Zoom service’, but he says he has never been throttled or blocked during previous attempts.
Repeated Zoom meetings always use the same password, according to Anthony, which would add to the problem. Even meetings that had not yet started, but were already scheduled, were susceptible to abuse, according to Anthony. Zoom did use a cross-site request forgery token that should prevent abuse, but Anthony managed to bypass it easily.
The researcher contacted Zoom on April 1 to report the problem. He advised, among other things, to make the default password longer and to limit the repeated entry of a password. The video calling service took the web client offline a day later, on April 9 it was fixed and put back online. According to Anthony, Zoom never communicated what changed the service, but users must now be logged in to participate via the web client and default passwords now also contain letters. According to Anthony, the mistake cannot be abused anymore.
Zoom has seen a massive increase in the number of users since the coronavirus outbreak. This includes politicians, the British cabinet used the video calling service for discussions. At the same time, the service turned out to have many security holes, for which the company has previously apologized.